RE: Proxy header for SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Doesn’t it have to be done by whatever terminates the initial http or https session (in our case, Apache)?  Otherwise, Apache would have to somehow convey the information it knows to HAProxy in some fashion.  May as well just do it in Apache as suggested.

--
Matt Domsch
Distinguished Engineer, Director
Dell | Software Group

-----Original Message-----
From: infrastructure-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:infrastructure-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Kevin Fenzi

Sent: Wednesday, October 02, 2013 10:26 PM
To: infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Proxy header for SSL

On Wed, 02 Oct 2013 12:49:18 +0200
Aurélien Bompard <gauret@xxxxxxx> wrote:

> Hi *,
>
> I'm having a small problem with the way we proxy connections to our
> webapps. If I understand correctly, the proxy handles SSL connections
> and forwards them as plain-text connections (which is normal).

Yeah.

> The problem is, I can't find a header I could use to detect that the
> connection was made using HTTPS, and as a result I can't find a way to
> properly redirect plain-text connections to SSL on the login form (and
> when the user is auth'ed).
>
> This is a common problem and Django has a way to detect that the
> connection was securely forwarded if some header is set :
> https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-h
> eader
>
> A common way is to set HTTP_X_FORWARDED_PROTO to 'https'
> Which proxy are we using? With NginX the config line to add is:
>
>   proxy_set_header X-Forwarded-Protocol $scheme;
>
> With Apache it would be:
>   RequestHeader set X-Forwarded-Protocol "https"
> in the virtualhost listening on port 443, and:
>   RequestHeader set X-Forwarded-Protocol "http"
> in the virtualhost listening on port 80.

We do set that in a few places now... but not accross the board.

We use haproxy behind apache to do the setup, we could possibly do something in haproxy too?

> What do you think of all that? How do we handle HTTPS detection at the
> moment?
> If it looks OK to you, should we wait for the freeze to be over before
> making this change?

I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;)

kevin

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux