On 24/09/11 19:34, Carl Meyer wrote: > On 09/24/2011 09:02 AM, Luke Plant wrote: >> It is a tricky problem, because I don't know of any perfect solution. My >> concern is not only that it is possible to configure incorrectly, it >> appears to be virtually impossible to configure correctly, as it appears >> to be very hard to get web servers to filter incoming headers, and so >> filter a X-Forwarded-Protocol=SSL header that is set by a MITM. > > Is this actually the case? I know you mention in the ticket that > Webfaction's front-end proxy doesn't filter the header they use > correctly, but do you have any other evidence that it is "very hard to > get web servers to filter incoming headers"? I haven't dug into it > deeply, but I've tested with ep.io and I know they do filter their > proxy-SSL header correctly, and I've also tested my own nginx > reverse-proxy setup, and it enforces the header correctly in all cases, > and the configuration to make it do so was trivial (use proxy_set_header > X-Forwarded-Protocol in both the HTTP and HTTPS cases).
OK, maybe I was generalising from Apache. I do remember searching for a way to get Apache to do it, and there didn't seem to be any obvious solution. I've got a feeling I looked into at least one other popular web server. I may also have been basing my information on how hard it seems to have been to get WebFaction to fix this - 2 years and waiting, and usually are very responsive if there is an easy fix. However, it may just have been overlooked. I'm happy to be proved wrong, of course. Apache is very popular, though, so if its hard in Apache, it could be said to be hard full stop. Regards, Luke -- I never hated a man enough to give him his diamonds back. (Zsa Zsa Gabor) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
