Forum OpenACS Improvement Proposals (TIPs): TIP #114: Proxy support

Request notifications

Collapse
Posted by Malte Sussdorff on
OpenACS does not behave well behind a proxy (http://openacs.org/forums/message-view?message_id=1156435). Therefore I propose to have a parameter "ns/parameters ReverseProxyMode" as Gustaf is using to note that the server is running behind a proxy.

If set to "1" ad_conn would return the X-Forward-For address for the "peeraddr".

Additionally it would use X-FORWARDED_PROTO header to figure out the protocol (http or https) and use this accordingly in the security::secure_conn_p procedure to define if we really have a secure connection.

Collapse
Posted by Malte Sussdorff on
Modifications to the TIP which I think are fine as well.

a) Use an acs-kernel parameter instead of the ns/parameters
b) Use X-SSL-Request header (which is set to 1 if it is SSL) instead of X-FORWARDED_PROTO (which is set to HTTP or HTTPS dependent on the request, but not in use by POUND).

Here is the code snippet from http://jamesthornton.com/writing/openacs-pound.html describing how this is to be done.

if {[string equal [ns_set get [ns_conn headers] "X-SSL-Request"] 1]} {
return 1
} else {
return [string match "https:*" [util_current_location]]
}

Collapse
Posted by Malte Sussdorff on
Forget the part about the SSL handling. It is already approved yet never made it into the codebase:

http://openacs.org/forums/message-view?message_id=268116

Collapse
Posted by Malte Sussdorff on
Okay, last post on this. I have the feeling that the approved TIP already handles my issues fine and we could use a ProxyIP parameter instead.

If set, we will use the X-Forwarded-For header for the peeraddr and will assume we have a secure connection if "ns_conn peeraddr" matches the proxyip and X-SSL-Request is set to one.

Collapse
Posted by Gustaf Neumann on
Maybe we should make a TIP to mark TIPs as implemented or not, ... The TIP lifecycle should not end with "approved", but with implemented (in the code base).