Forum OpenACS Improvement Proposals (TIPs): TIP #75 (Approved) Add support for HTTPS proxy
* (ad_restrict_to_https) in acs-tcl/tcl/admin-procs.tcl,
* (ad_secure_conn_p) in acs-tcl/tcl/security-procs.tcl and
* (util_current_location) in acs-tcl/tcl/utilities-procs.tcl
to accept proxied HTTPS requests forwarded by a proxy such as Pound,
Squid or Apache as regular HTTPS requests.
Most proxies forward incoming HTTPS requests as HTTP requests to the
backend. At least Pound does. Forwarded HTTPS requests are marked by
an additional HTTP header `X-SSL-Request: true'. Pound can be
configured to remove any X-SSL-Request headers part of the incoming
HTTP(s) request to the proxy itself (Pound) to avoid `Man in the
Proposed modification adds checks to aforementioned procedures to
treat HTTP requests (as received by the OpenACS instance) on par with
I have made these modifications a long time ago to ACS 4 and they have
been tested in production. In the past 2 days 2 community members
contacted me with requesting these patches. I think that is enough of
a basis to propose inclusion to OpenACS core.
For added security one could also add the IP address of the proxy as a
new parameter to OpenACS. One can then check the `X-Forwarded-For'
header in addition to the `X-SSL-Request' header. Only if the
X-Forwarded-For IP address matches the configured IP address will the
connection be treated as secure. However, this involves a more
substantial change and requires upgrade scripts to the data model.
How about a parameter for enabling or disabling the header checking? It should be off by default.
However, this involves a more substantial change and
requires upgrade scripts to the data model.
Are we talking about anything more than one new parameter (it could be a space-separated list)? Adding a new parameter is a simple change to the package info file, no upgrade scripts are needed.
I think this feature should off by default, like Andrew, is there any reason it shouldn't be? Anyone smart enough to set up Pound can figure out how to set an OpenACS parameter.
And even if not strictly necessary, won't the ability to add a fixed IP (or list of IPs) from which such requests will be honored lead to better peace of mind for admins?
Obviously I approve of adding this feature just want to make sure we get it right (even if that means you guys prove me wrong).
Specifically, in light of your concern, I propose to add a `ProxyIPs' parameter whose initial value is `null'. The `null' value disables checking for `X-SSL-Request' headers and thus avoids spoofing. Setting the `ProxyIPs' parameter -which should be a space separated list- enables acceptance of `X-SSL-Request' headers.
On a related note, AFAIK AOLserver will always log the `X-Forwarded-For' IP address, whether the `ProxyIPs' parameter has been set or not. There is little harm in this other than that it makes it harder to track mallicious visitors.