Forum OpenACS Development: HTTPS not in security::locations when using nginx proxy for SSL

Collapse
1: HTTPS not in security::locations when using nginx proxy for SSL
Posted by Dave Bauer on 02/12/12 10:20 PM
So if you are using nginx for proxying ssl then the nsopenssl driver is not configured and security::locations does not report https://hostname as a safe URL to redirect to.

Has anyone else encountered this issue? Any ideas on how to tell security::locations https is a valid internal protocol when using a proxy for SSL?

Collapse
2: Re: HTTPS not in security::locations when using nginx proxy for SSL (response to 1)
Posted by Torben Brosten on 02/12/12 10:32 PM
Hi Dave,

Looks like you need to add a parameter to acs-tcl, something like: https_behind_proxy

and add the logic to security::locations to include the https option..

cheers,

Torben

Collapse
3: Re: HTTPS not in security::locations when using nginx proxy for SSL (response to 1)
Posted by Torben Brosten on 02/12/12 10:34 PM
ps. I'd be glad to add this myself, but I don't have a configuration available to test..
Collapse
4: Re: HTTPS not in security::locations when using nginx proxy for SSL (response to 3)
Posted by Dave Bauer on 02/13/12 12:11 AM
I think we should set it in the config file and check for that in addition to nsopenssl.
Collapse
5: Re: HTTPS not in security::locations when using nginx proxy for SSL (response to 1)
Posted by Torben Brosten on 02/13/12 01:07 AM
Hi Dave,

acs-tcl already has other parameters related to ssl and security::locations behavior.. that's why it seems to me to be an appropriate place --especially since someone using a proxy for ssl isn't configuring nsopenssl in the config.tcl file. How ever it's done, please document it clearly.

cheers,

Collapse
6: Re: HTTPS not in security::locations when using nginx proxy for SSL (response to 1)
Posted by Victor Guerra on 02/13/12 03:09 PM
Actually what we have done in our instance is to define a parameter in our config.tcl under the ns/parameters section named: ReverseProxyMode (boolean).

Then on util_current_location proc, in case the parameter is set to true, two HTTP header fields are checked : X-Forwarded-For and X-SSL-Request. Depending on this checking the returned protocol is https or something else ( http usually ).

I quickly generated a patch against HEAD, you can try it out:

https://gist.github.com/6ae69309b3ece8c15603