Proxy header for SSL

[Kevin Fenzi]

On Wed, 02 Oct 2013 12:49:18 +0200
Aurélien Bompard <gauret at free.fr> wrote:

> Hi *,
> 
> I'm having a small problem with the way we proxy connections to our
> webapps. If I understand correctly, the proxy handles SSL connections
> and forwards them as plain-text connections (which is normal).

Yeah. 

> The problem is, I can't find a header I could use to detect that the
> connection was made using HTTPS, and as a result I can't find a way to
> properly redirect plain-text connections to SSL on the login form (and
> when the user is auth'ed).
> 
> This is a common problem and Django has a way to detect that the
> connection was securely forwarded if some header is set :
> https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
> 
> A common way is to set HTTP_X_FORWARDED_PROTO to 'https'
> Which proxy are we using? With NginX the config line to add is:
> 
>   proxy_set_header X-Forwarded-Protocol $scheme;
> 
> With Apache it would be:
>   RequestHeader set X-Forwarded-Protocol "https"
> in the virtualhost listening on port 443, and:
>   RequestHeader set X-Forwarded-Protocol "http"
> in the virtualhost listening on port 80.

We do set that in a few places now... but not accross the board. 

We use haproxy behind apache to do the setup, we could possibly do
something in haproxy too?

> What do you think of all that? How do we handle HTTPS detection at the
> moment?
> If it looks OK to you, should we wait for the freeze to be over before
> making this change?

I'd like to get some more input from others.... we aren't in freeze
right now, but lets wait a bit and see if anyone else has ideas. ;) 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20131002/e7e99ebe/attachment.sig>