Using the "ssl_only" option sounds good to me, it is documented as 'Disallow non-encrypted connections' and could be used to make sure origin is using an encrypted connections. On the other hand, Tony is right and this may cause surprise...
@Paul if we go with the new option to enforce origin is https for all branch, would it also deter the dns rebinding issue ? And if not, in case we fix it in another patch, would this option be compatible or will it be rewritten to support a whitelist mechanism ? Just making sure we are looking at a long-term solution....
Using the "ssl_only" option sounds good to me, it is documented as 'Disallow non-encrypted connections' and could be used to make sure origin is using an encrypted connections. On the other hand, Tony is right and this may cause surprise...
@Paul if we go with the new option to enforce origin is https for all branch, would it also deter the dns rebinding issue ? And if not, in case we fix it in another patch, would this option be compatible or will it be rewritten to support a whitelist mechanism ? Just making sure we are looking at a long-term solution....