On Wed, 02 Oct 2013 12:49:18 +0200 Aurélien Bompard <gauret@xxxxxxx> wrote: > Hi *, > > I'm having a small problem with the way we proxy connections to our > webapps. If I understand correctly, the proxy handles SSL connections > and forwards them as plain-text connections (which is normal). Yeah. > The problem is, I can't find a header I could use to detect that the > connection was made using HTTPS, and as a result I can't find a way to > properly redirect plain-text connections to SSL on the login form (and > when the user is auth'ed). > > This is a common problem and Django has a way to detect that the > connection was securely forwarded if some header is set : > https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header > > A common way is to set HTTP_X_FORWARDED_PROTO to 'https' > Which proxy are we using? With NginX the config line to add is: > > proxy_set_header X-Forwarded-Protocol $scheme; > > With Apache it would be: > RequestHeader set X-Forwarded-Protocol "https" > in the virtualhost listening on port 443, and: > RequestHeader set X-Forwarded-Protocol "http" > in the virtualhost listening on port 80. We do set that in a few places now... but not accross the board. We use haproxy behind apache to do the setup, we could possibly do something in haproxy too? > What do you think of all that? How do we handle HTTPS detection at the > moment? > If it looks OK to you, should we wait for the freeze to be over before > making this change? I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;) kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
