Hello Richard, we are using the WebServer framework to implement an application which we are sometimes running with TLS certificates when external access is needed. But due to some unrelated issues we wanted to try to run them behind a reverse-TLS proxy without TLS certificates within the application.
It seems that the WebServer instance has an API (-setSecureProxy:) which would adjust the x-http-scheme header accordingly. But instead of detecting it dynamically (via the x-forwarded-proto) in each request it seems that the configuration must be set manually. Looking at the implementation it also seems that this configuration should be done during initial WebServer configuration and is not expected to be changed for each request (because it makes a copy of the entire configuration... though I'm unsure why). But in our setup with the reverse proxy is in the DMZ, it can happen that the most requests come as https via the proxy but a few services may speak to the application directly via http. So I'm currently wondering... a) should I statically configure it with the default value and adjust the internal code to cope with the fact that x-http-scheme could be lying. b) am I interpreting too much into the config copy within setSecureProxy: and should I simple set it with each request. c) should I explicitly check for x-forwarded-proto within the application and simply not setSecureProxy: even though it would be true for 98% of the requests. Thanks! David -- David Ayers - Team Austria Free Software Foundation Europe (FSFE) [] (http://www.fsfe.org) Become a supporter of the FSFE! [][][] (https://fsfe.org/join) Your donation powers our work! || (http://fsfe.org/donate)
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Discuss-gnustep mailing list [email protected] https://lists.gnu.org/mailman/listinfo/discuss-gnustep
