From: John-Paul Bader <hukl@berlin.ccc.de>
To: unicorn list <mongrel-unicorn@rubyforge.org>
Subject: Re: X-Forwarded-Proto / X_FORWARDED_PROTO
Date: Sun, 10 Jan 2010 12:43:55 +0100 [thread overview]
Message-ID: <DEF84685-7CA8-4262-801C-3EFF6672FBC4@berlin.ccc.de> (raw)
In-Reply-To: <20100110063218.GA3102@dcvr.yhbt.net>
Hey Guys,
I posted my setup before but for this thread I'll do it again.
For http I have: varnish(80) -> nginx(8080) -> unicorn
And for https: nginx(443) -> varnish(80) -> nginx(8080) -> unicorn
Nginx has these proxy settings for the 443 vhost:
location / {
…
access_log off;
proxy_redirect off;
proxy_pass http://www.ccc.de;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-FORWARDED-PROTO https;
}
…
So I explicitly set this header. This way varnish(80), nginx(8080), unicorn and ultimately rails will get this Header and know that this was a https request. This works for me perfectly and maybe that is helpful for you ? If not never mind ;)
After all this header is a non standard extension introduced by squid. Theres a nice wikipedia page about it: http://en.wikipedia.org/wiki/X-Forwarded-For
Kind regards, John
On 10.01.2010, at 07:32, Eric Wong wrote:
> Eric Wong <normalperson@yhbt.net> wrote:
>> Iñaki Baz Castillo <ibc@aliax.net> wrote:
>>> In your case it seems valid for me (just an opinnion) as
>>> "HTTP_X_FORWARDED_PROTO: http,https" could mean that the request has been sent
>>> using HTTPS and an intermediary proxy has forwarded it using HTTP. Of course
>>> the final destination (Unicorn application) must be ready to support such
>>> syntax.
>>
>> Is it safe to say that if there's an "https" *anywhere* in the
>> X-Forwarded-Proto chain, that "rack.url_scheme" should be set to
>> "https"? Because I suppose most of the time there's only one
>> (client-facing) proxy using https.
>
> Maybe this will work...
>
> diff --git a/ext/unicorn_http/global_variables.h b/ext/unicorn_http/global_variables.h
> index e593cf6..6705851 100644
> --- a/ext/unicorn_http/global_variables.h
> +++ b/ext/unicorn_http/global_variables.h
> @@ -74,7 +74,6 @@ void init_globals(void)
> DEF_GLOBAL(server_name, "SERVER_NAME");
> DEF_GLOBAL(server_port, "SERVER_PORT");
> DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
> - DEF_GLOBAL(http_x_forwarded_proto, "HTTP_X_FORWARDED_PROTO");
> DEF_GLOBAL(port_80, "80");
> DEF_GLOBAL(port_443, "443");
> DEF_GLOBAL(localhost, "localhost");
> diff --git a/ext/unicorn_http/unicorn_http.rl b/ext/unicorn_http/unicorn_http.rl
> index 6232e2c..f3945b2 100644
> --- a/ext/unicorn_http/unicorn_http.rl
> +++ b/ext/unicorn_http/unicorn_http.rl
> @@ -197,6 +197,14 @@ static void write_value(VALUE req, struct http_parser *hp,
> assert_frozen(f);
> }
>
> + /*
> + * any X-Forwarded-Proto: https means there's an https server in the
> + * proxy chain, and that server is most likely the one that actually
> + * sees the client, so help Rack apps generate URLs with "https"
> + */
> + if (f == g_http_x_forwarded_proto && STR_CSTR_EQ(v, "https"))
> + rb_hash_aset(req, g_rack_url_scheme, v);
> +
> e = rb_hash_aref(req, f);
> if (NIL_P(e)) {
> hp->cont = rb_hash_aset(req, f, v);
> @@ -393,12 +401,7 @@ static void finalize_header(struct http_parser *hp, VALUE req)
>
> /* set rack.url_scheme to "https" or "http", no others are allowed by Rack */
> if (NIL_P(temp)) {
> - temp = rb_hash_aref(req, g_http_x_forwarded_proto);
> - if (!NIL_P(temp) && STR_CSTR_EQ(temp, "https"))
> - server_port = g_port_443;
> - else
> - temp = g_http;
> - rb_hash_aset(req, g_rack_url_scheme, temp);
> + rb_hash_aset(req, g_rack_url_scheme, g_http);
> } else if (STR_CSTR_EQ(temp, "https")) {
> server_port = g_port_443;
> } else {
> @@ -712,5 +715,6 @@ void Init_unicorn_http(void)
> SET_GLOBAL(g_http_transfer_encoding, "TRANSFER_ENCODING");
> SET_GLOBAL(g_content_length, "CONTENT_LENGTH");
> SET_GLOBAL(g_http_connection, "CONNECTION");
> + SET_GLOBAL(g_http_x_forwarded_proto, "X_FORWARDED_PROTO");
> }
> #undef SET_GLOBAL
> --
> Eric Wong
> _______________________________________________
> Unicorn mailing list - mongrel-unicorn@rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-unicorn
> Do not quote signatures (like this one) or top post when replying
>
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying
next prev parent reply other threads:[~2010-01-10 11:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-09 22:16 X-Forwarded-Proto / X_FORWARDED_PROTO skaar
2010-01-09 22:33 ` Iñaki Baz Castillo
2010-01-09 22:39 ` Eric Wong
2010-01-09 23:29 ` skaar
2010-01-09 23:45 ` Iñaki Baz Castillo
2010-01-10 6:12 ` Eric Wong
2010-01-10 6:32 ` Eric Wong
2010-01-10 11:43 ` John-Paul Bader [this message]
2010-01-19 21:43 ` Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/unicorn/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DEF84685-7CA8-4262-801C-3EFF6672FBC4@berlin.ccc.de \
--to=hukl@berlin.ccc.de \
--cc=mongrel-unicorn@rubyforge.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).