Hello! On Mon, Mar 02, 2015 at 03:32:03PM +0100, Michael Kliewe wrote:
> Hi Maxim, > > On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote: > > > Hello! > > > > On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe > > wrote: > > > >> with your changes there is a problem: > >> nginx now just sends the header if the connection is > >> encrypted. If the connection is not encrypted, then there is > >> no header sent to the auth script. > >> In the auth script I cannot distinguish between "user did not > >> use encryption" and "nginx doesn't have the feature" (because > >> of mixed nginx versions). > >> With the original version of the patch this was possible. > > > > Try updating all your nginx instances before using the header > > for something limiting, it is expected to resolve your > > problem. > > > > Either way, the only safe thing to do if "nginx doesn't have > > the feature" is to assume there is no SSL if SSL matters. And > > that's what current behaviour encourages. > > You are kind of right, but currently I'm distinguishing between > "encrypted", "not-encrypted" and "unknown", because we have > different versions of nginx in different setups. I cannot update > all nginx versions in parallel in all setups. That's why your > tip does not help me ;-/ > I need to distinguish between "not-encrypted" and "unknown", > because I want to warn all users still using not-encrypted > connections. With your patch I cannot distinguish between them, > and would send false warnings... So switch off warnings till the update is complete. That's an easy way to go. Alternatively, you may use the "auth_http_header" directive (http://nginx.org/r/auth_http_header) to distinguish between various installations. > Would it be complicated to send "Auth-SSL: off" in case there > was no encryption? It's just one "else" more, and solves all > problems. You are trying to solve your particular deployment problem by introducing the flag which will be here for all users forever. This doesn't looks like a good solution to me. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
