Eric Wong <normalper...@yhbt.net> wrote: > Iñaki Baz Castillo <i...@aliax.net> wrote: > > In your case it seems valid for me (just an opinnion) as > > "HTTP_X_FORWARDED_PROTO: http,https" could mean that the request has been > > sent > > using HTTPS and an intermediary proxy has forwarded it using HTTP. Of > > course > > the final destination (Unicorn application) must be ready to support such > > syntax. > > Is it safe to say that if there's an "https" *anywhere* in the > X-Forwarded-Proto chain, that "rack.url_scheme" should be set to > "https"? Because I suppose most of the time there's only one > (client-facing) proxy using https.
Maybe this will work... diff --git a/ext/unicorn_http/global_variables.h b/ext/unicorn_http/global_variables.h index e593cf6..6705851 100644 --- a/ext/unicorn_http/global_variables.h +++ b/ext/unicorn_http/global_variables.h @@ -74,7 +74,6 @@ void init_globals(void) DEF_GLOBAL(server_name, "SERVER_NAME"); DEF_GLOBAL(server_port, "SERVER_PORT"); DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL"); - DEF_GLOBAL(http_x_forwarded_proto, "HTTP_X_FORWARDED_PROTO"); DEF_GLOBAL(port_80, "80"); DEF_GLOBAL(port_443, "443"); DEF_GLOBAL(localhost, "localhost"); diff --git a/ext/unicorn_http/unicorn_http.rl b/ext/unicorn_http/unicorn_http.rl index 6232e2c..f3945b2 100644 --- a/ext/unicorn_http/unicorn_http.rl +++ b/ext/unicorn_http/unicorn_http.rl @@ -197,6 +197,14 @@ static void write_value(VALUE req, struct http_parser *hp, assert_frozen(f); } + /* + * any X-Forwarded-Proto: https means there's an https server in the + * proxy chain, and that server is most likely the one that actually + * sees the client, so help Rack apps generate URLs with "https" + */ + if (f == g_http_x_forwarded_proto && STR_CSTR_EQ(v, "https")) + rb_hash_aset(req, g_rack_url_scheme, v); + e = rb_hash_aref(req, f); if (NIL_P(e)) { hp->cont = rb_hash_aset(req, f, v); @@ -393,12 +401,7 @@ static void finalize_header(struct http_parser *hp, VALUE req) /* set rack.url_scheme to "https" or "http", no others are allowed by Rack */ if (NIL_P(temp)) { - temp = rb_hash_aref(req, g_http_x_forwarded_proto); - if (!NIL_P(temp) && STR_CSTR_EQ(temp, "https")) - server_port = g_port_443; - else - temp = g_http; - rb_hash_aset(req, g_rack_url_scheme, temp); + rb_hash_aset(req, g_rack_url_scheme, g_http); } else if (STR_CSTR_EQ(temp, "https")) { server_port = g_port_443; } else { @@ -712,5 +715,6 @@ void Init_unicorn_http(void) SET_GLOBAL(g_http_transfer_encoding, "TRANSFER_ENCODING"); SET_GLOBAL(g_content_length, "CONTENT_LENGTH"); SET_GLOBAL(g_http_connection, "CONNECTION"); + SET_GLOBAL(g_http_x_forwarded_proto, "X_FORWARDED_PROTO"); } #undef SET_GLOBAL -- Eric Wong _______________________________________________ Unicorn mailing list - mongrel-unicorn@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying