Hey Guys, I posted my setup before but for this thread I'll do it again.
For http I have: varnish(80) -> nginx(8080) -> unicorn And for https: nginx(443) -> varnish(80) -> nginx(8080) -> unicorn Nginx has these proxy settings for the 443 vhost: location / { … access_log off; proxy_redirect off; proxy_pass http://www.ccc.de; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-FORWARDED-PROTO https; } … So I explicitly set this header. This way varnish(80), nginx(8080), unicorn and ultimately rails will get this Header and know that this was a https request. This works for me perfectly and maybe that is helpful for you ? If not never mind ;) After all this header is a non standard extension introduced by squid. Theres a nice wikipedia page about it: http://en.wikipedia.org/wiki/X-Forwarded-For Kind regards, John On 10.01.2010, at 07:32, Eric Wong wrote: > Eric Wong <normalper...@yhbt.net> wrote: >> Iñaki Baz Castillo <i...@aliax.net> wrote: >>> In your case it seems valid for me (just an opinnion) as >>> "HTTP_X_FORWARDED_PROTO: http,https" could mean that the request has been >>> sent >>> using HTTPS and an intermediary proxy has forwarded it using HTTP. Of >>> course >>> the final destination (Unicorn application) must be ready to support such >>> syntax. >> >> Is it safe to say that if there's an "https" *anywhere* in the >> X-Forwarded-Proto chain, that "rack.url_scheme" should be set to >> "https"? Because I suppose most of the time there's only one >> (client-facing) proxy using https. > > Maybe this will work... > > diff --git a/ext/unicorn_http/global_variables.h > b/ext/unicorn_http/global_variables.h > index e593cf6..6705851 100644 > --- a/ext/unicorn_http/global_variables.h > +++ b/ext/unicorn_http/global_variables.h > @@ -74,7 +74,6 @@ void init_globals(void) > DEF_GLOBAL(server_name, "SERVER_NAME"); > DEF_GLOBAL(server_port, "SERVER_PORT"); > DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL"); > - DEF_GLOBAL(http_x_forwarded_proto, "HTTP_X_FORWARDED_PROTO"); > DEF_GLOBAL(port_80, "80"); > DEF_GLOBAL(port_443, "443"); > DEF_GLOBAL(localhost, "localhost"); > diff --git a/ext/unicorn_http/unicorn_http.rl > b/ext/unicorn_http/unicorn_http.rl > index 6232e2c..f3945b2 100644 > --- a/ext/unicorn_http/unicorn_http.rl > +++ b/ext/unicorn_http/unicorn_http.rl > @@ -197,6 +197,14 @@ static void write_value(VALUE req, struct http_parser > *hp, > assert_frozen(f); > } > > + /* > + * any X-Forwarded-Proto: https means there's an https server in the > + * proxy chain, and that server is most likely the one that actually > + * sees the client, so help Rack apps generate URLs with "https" > + */ > + if (f == g_http_x_forwarded_proto && STR_CSTR_EQ(v, "https")) > + rb_hash_aset(req, g_rack_url_scheme, v); > + > e = rb_hash_aref(req, f); > if (NIL_P(e)) { > hp->cont = rb_hash_aset(req, f, v); > @@ -393,12 +401,7 @@ static void finalize_header(struct http_parser *hp, > VALUE req) > > /* set rack.url_scheme to "https" or "http", no others are allowed by Rack > */ > if (NIL_P(temp)) { > - temp = rb_hash_aref(req, g_http_x_forwarded_proto); > - if (!NIL_P(temp) && STR_CSTR_EQ(temp, "https")) > - server_port = g_port_443; > - else > - temp = g_http; > - rb_hash_aset(req, g_rack_url_scheme, temp); > + rb_hash_aset(req, g_rack_url_scheme, g_http); > } else if (STR_CSTR_EQ(temp, "https")) { > server_port = g_port_443; > } else { > @@ -712,5 +715,6 @@ void Init_unicorn_http(void) > SET_GLOBAL(g_http_transfer_encoding, "TRANSFER_ENCODING"); > SET_GLOBAL(g_content_length, "CONTENT_LENGTH"); > SET_GLOBAL(g_http_connection, "CONNECTION"); > + SET_GLOBAL(g_http_x_forwarded_proto, "X_FORWARDED_PROTO"); > } > #undef SET_GLOBAL > -- > Eric Wong > _______________________________________________ > Unicorn mailing list - mongrel-unicorn@rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-unicorn > Do not quote signatures (like this one) or top post when replying > _______________________________________________ Unicorn mailing list - mongrel-unicorn@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying