<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Times New Roman","serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='margin-bottom:12.0pt'>Doesn’t it have to be done by whatever terminates the initial http or https session (in our case, Apache)? Otherwise, Apache would have to somehow convey the information it knows to HAProxy in some fashion. May as well just do it in Apache as suggested.<br><br><o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>--</span> <br><span style='font-family:"Calibri","sans-serif"'>Matt Domsch</span> <br><span style='font-family:"Calibri","sans-serif"'>Distinguished Engineer, Director</span> <br><span style='font-family:"Calibri","sans-serif"'>Dell | Software Group</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>-----Original Message-----</span> <br><span style='font-family:"Calibri","sans-serif"'>From: infrastructure-bounces@lists.fedoraproject.org [<a href="mailto:infrastructure-bounces@lists.fedoraproject.org">mailto:infrastructure-bounces@lists.fedoraproject.org</a>] On Behalf Of Kevin Fenzi</span><o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>Sent: Wednesday, October 02, 2013 10:26 PM</span> <br><span style='font-family:"Calibri","sans-serif"'>To: infrastructure@lists.fedoraproject.org</span> <br><span style='font-family:"Calibri","sans-serif"'>Subject: Re: Proxy header for SSL</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>On Wed, 02 Oct 2013 12:49:18 +0200</span> <br><span style='font-family:"Calibri","sans-serif"'>Aurélien Bompard <gauret@free.fr> wrote:</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>> Hi *,</span> <br><span style='font-family:"Calibri","sans-serif"'>> </span><br><span style='font-family:"Calibri","sans-serif"'>> I'm having a small problem with the way we proxy connections to our </span><br><span style='font-family:"Calibri","sans-serif"'>> webapps. If I understand correctly, the proxy handles SSL connections </span><br><span style='font-family:"Calibri","sans-serif"'>> and forwards them as plain-text connections (which is normal).</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>Yeah. </span><o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>> The problem is, I can't find a header I could use to detect that the </span><br><span style='font-family:"Calibri","sans-serif"'>> connection was made using HTTPS, and as a result I can't find a way to </span><br><span style='font-family:"Calibri","sans-serif"'>> properly redirect plain-text connections to SSL on the login form (and </span><br><span style='font-family:"Calibri","sans-serif"'>> when the user is auth'ed).</span> <br><span style='font-family:"Calibri","sans-serif"'>> </span><br><span style='font-family:"Calibri","sans-serif"'>> This is a common problem and Django has a way to detect that the </span><br><span style='font-family:"Calibri","sans-serif"'>> connection was securely forwarded if some header is set :</span> <br><span style='font-family:"Calibri","sans-serif"'>> <a href="https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-h">https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-h</a></span> <br><span style='font-family:"Calibri","sans-serif"'>> eader</span> <br><span style='font-family:"Calibri","sans-serif"'>> </span><br><span style='font-family:"Calibri","sans-serif"'>> A common way is to set HTTP_X_FORWARDED_PROTO to 'https'</span> <br><span style='font-family:"Calibri","sans-serif"'>> Which proxy are we using? With NginX the config line to add is:</span> <br><span style='font-family:"Calibri","sans-serif"'>> </span><br><span style='font-family:"Calibri","sans-serif"'>> proxy_set_header X-Forwarded-Protocol $scheme;</span> <br><span style='font-family:"Calibri","sans-serif"'>> </span><br><span style='font-family:"Calibri","sans-serif"'>> With Apache it would be:</span> <br><span style='font-family:"Calibri","sans-serif"'>> RequestHeader set X-Forwarded-Protocol "https"</span> <br><span style='font-family:"Calibri","sans-serif"'>> in the virtualhost listening on port 443, and:</span> <br><span style='font-family:"Calibri","sans-serif"'>> RequestHeader set X-Forwarded-Protocol "http"</span> <br><span style='font-family:"Calibri","sans-serif"'>> in the virtualhost listening on port 80.</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>We do set that in a few places now... but not accross the board. </span><o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>We use haproxy behind apache to do the setup, we could possibly do something in haproxy too?</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>> What do you think of all that? How do we handle HTTPS detection at the </span><br><span style='font-family:"Calibri","sans-serif"'>> moment?</span> <br><span style='font-family:"Calibri","sans-serif"'>> If it looks OK to you, should we wait for the freeze to be over before </span><br><span style='font-family:"Calibri","sans-serif"'>> making this change?</span> <o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>I'd like to get some more input from others.... we aren't in freeze right now, but lets wait a bit and see if anyone else has ideas. ;) </span><o:p></o:p></p><p><span style='font-family:"Calibri","sans-serif"'>kevin</span> <o:p></o:p></p></div></body></html>