discuss-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WebServer setSecureProxy: x-http-scheme / x-forwarded-proto


From: David Ayers
Subject: WebServer setSecureProxy: x-http-scheme / x-forwarded-proto
Date: Fri, 11 Jan 2019 16:30:27 +0100

Hello Richard,

we are using the WebServer framework to implement an application which
we are sometimes running with TLS certificates when external access is
needed.  But due to some unrelated issues we wanted to try to run them
behind a reverse-TLS proxy without TLS certificates within the
application.

It seems that the WebServer instance has an API (-setSecureProxy:)
which would adjust the x-http-scheme header accordingly.  But instead
of detecting it dynamically (via the x-forwarded-proto) in each request
it seems that the configuration must be set manually.

Looking at the implementation it also seems that this configuration
should be done during initial WebServer configuration and is not
expected to be changed for each request (because it makes a copy of the
entire configuration... though I'm unsure why). 

But in our setup with the reverse proxy is in the DMZ, it can happen
that the most requests come as https via the proxy but a few services
may speak to the application directly via http.

So I'm currently wondering...

a) should I statically configure it with the default value and adjust
the internal code to cope with the fact that x-http-scheme could be
lying.

b) am I interpreting too much into the config copy within
setSecureProxy: and should I simple set it with each request.

c) should I explicitly check for x-forwarded-proto within the
application and simply not setSecureProxy: even though it would be true
for 98% of the requests.

Thanks!
David

-- 
David Ayers - Team Austria
Free Software Foundation Europe (FSFE) []          (http://www.fsfe.org)
Become a supporter of the FSFE!      [][][]      (https://fsfe.org/join)
Your donation powers our work!         ||       (http://fsfe.org/donate)

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]