Proxy header for SSL
Kevin Fenzi
kevin at scrye.com
Thu Oct 3 03:25:37 UTC 2013
On Wed, 02 Oct 2013 12:49:18 +0200
Aurélien Bompard <gauret at free.fr> wrote:
> Hi *,
>
> I'm having a small problem with the way we proxy connections to our
> webapps. If I understand correctly, the proxy handles SSL connections
> and forwards them as plain-text connections (which is normal).
Yeah.
> The problem is, I can't find a header I could use to detect that the
> connection was made using HTTPS, and as a result I can't find a way to
> properly redirect plain-text connections to SSL on the login form (and
> when the user is auth'ed).
>
> This is a common problem and Django has a way to detect that the
> connection was securely forwarded if some header is set :
> https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
>
> A common way is to set HTTP_X_FORWARDED_PROTO to 'https'
> Which proxy are we using? With NginX the config line to add is:
>
> proxy_set_header X-Forwarded-Protocol $scheme;
>
> With Apache it would be:
> RequestHeader set X-Forwarded-Protocol "https"
> in the virtualhost listening on port 443, and:
> RequestHeader set X-Forwarded-Protocol "http"
> in the virtualhost listening on port 80.
We do set that in a few places now... but not accross the board.
We use haproxy behind apache to do the setup, we could possibly do
something in haproxy too?
> What do you think of all that? How do we handle HTTPS detection at the
> moment?
> If it looks OK to you, should we wait for the freeze to be over before
> making this change?
I'd like to get some more input from others.... we aren't in freeze
right now, but lets wait a bit and see if anyone else has ideas. ;)
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20131002/e7e99ebe/attachment.sig>
More information about the infrastructure
mailing list