| 2017-05-11 17:38:56 |
Romain LE DISEZ |
description |
When redirecting, if behind a load balancer doing SSL offload, staticweb does not maintain the https for the new location.
haproxy listening to 80 and 443 on SAIO:
frontend swift
bind 127.0.0.1:80
use_backend swift
frontend swift_ssl
bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem
use_backend swift
backend swift
server swift-proxy 127.0.0.1:8080
web is a container with staticweb enabled.
Good:
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/
Bad (Location header is http instead of https):
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/
Setting url_base does not fix the issue, it just invert it. With url_base = https:
Good:
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Bad (should be http in Location header):
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://localhost/v1/AUTH_test/web/
Staticweb must use by default the protocol of the incoming request. Only if specified by operator, the protocol should be overwritten. To detect the protocol of the incoming request, the standard way is to use the Forwarded header. Support for the "de-facto" standard X-Forwarded-Proto would be nice too.
See:
https://tools.ietf.org/html/rfc7239#section-5.4
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded |
When redirecting, if behind a load balancer doing SSL offload, staticweb does not maintain the https for the new location.
haproxy listening to 80 and 443 on SAIO:
frontend swift
bind 127.0.0.1:80
use_backend swift
frontend swift_ssl
bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem
use_backend swift
backend swift
server swift-proxy 127.0.0.1:8080
web is a container with staticweb enabled.
Good:
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/
Bad (Location header is http instead of https):
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/
Setting url_base does not fix the issue, it just invert it.
With url_base = https:
Good:
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://localhost/v1/AUTH_test/web/
Bad (should be http in Location header):
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://localhost/v1/AUTH_test/web/
Staticweb must use by default the protocol of the incoming request. Only if specified by operator, the protocol should be overwritten. To detect the protocol of the incoming request, the standard way is to use the Forwarded header. Support for the "de-facto" standard X-Forwarded-Proto would be nice too.
See:
https://tools.ietf.org/html/rfc7239#section-5.4
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded |
|
