Please remove all adresses [email protected] mailto:[email protected] from the mailig list. Thank you.
Kind regards Matthias Trinks > David Ayers <[email protected] mailto:[email protected] > hat am 11. Januar 2019 um > 16:30 geschrieben: > > > Hello Richard, > > we are using the WebServer framework to implement an application which > we are sometimes running with TLS certificates when external access is > needed. But due to some unrelated issues we wanted to try to run them > behind a reverse-TLS proxy without TLS certificates within the > application. > > It seems that the WebServer instance has an API (-setSecureProxy:) > which would adjust the x-http-scheme header accordingly. But instead > of detecting it dynamically (via the x-forwarded-proto) in each request > it seems that the configuration must be set manually. > > Looking at the implementation it also seems that this configuration > should be done during initial WebServer configuration and is not > expected to be changed for each request (because it makes a copy of the > entire configuration... though I'm unsure why). > > But in our setup with the reverse proxy is in the DMZ, it can happen > that the most requests come as https via the proxy but a few services > may speak to the application directly via http. > > So I'm currently wondering... > > a) should I statically configure it with the default value and adjust > the internal code to cope with the fact that x-http-scheme could be > lying. > > b) am I interpreting too much into the config copy within > setSecureProxy: and should I simple set it with each request. > > c) should I explicitly check for x-forwarded-proto within the > application and simply not setSecureProxy: even though it would be true > for 98% of the requests. > > Thanks! > David > > -- > David Ayers - Team Austria > Free Software Foundation Europe (FSFE) [] (http://www.fsfe.org) > Become a supporter of the FSFE! [][][] (https://fsfe.org/join) > Your donation powers our work! || (http://fsfe.org/donate) > _______________________________________________ > Discuss-gnustep mailing list > [email protected] mailto:[email protected] > https://lists.gnu.org/mailman/listinfo/discuss-gnustep >
_______________________________________________ Discuss-gnustep mailing list [email protected] https://lists.gnu.org/mailman/listinfo/discuss-gnustep
