Right, when you use a reverse proxy setup, the proxy request is always
http (not https)
even if the original request was https.
Then I set up the web server (nginx in my case) to redirect HTTP
requests that have a "https=on" parameter to HTTPS,
In nginx, you can do it like this:
server {
listen 80;
server_name www.mysite.com;
if ($args ~ https=on) {
rewrite ^(.*)$ https://$server_name$1 redirect;
}
...
Similarly, I redirect from HTTPS to HTTP if there is a "https=off"
parameter in the request URI.
In pylons I verify that a request was originally received as HTTPS by
checking that the "https=on" param is present,
and if it's not then add it and redirect to HTTPS:
def verify_https(request):
if not request.params.get('https')=='on':
params=['%s=%s' % (k,v) for (k,v) in request.params.items() if k!
='https']
params.append('https=on')
redirect_to(str(request.environ['PATH_INFO']+'?'+'&'.join
(params)))
Then, you can write your controller action like this:
class MyController:
def secure(self):
h.verify_https(request)
return 'secured! '
So, if someone tries to access this action using HTTP, there will be
TWO redirects:
first, verify_https() will add the "https=on" param and redirect (to
HTTP), and then the web server will
see that param and redirect again to HTTPS. I'm not sure if it can be
done with a single redirect.
Also you can save one redirect if you create the URL for the secure
action with the "https=on" param already
present (in the link/url you create with url_for)
On Dec 22, 2:10 pm, Graham Dumpleton <[email protected]>
wrote:
> The real problem here is probably because Pylons server is only
> accepting HTTP connections and so wsgi.url_scheme in WSGi environment
> is always 'http' and doesn't reflect that a connection is originally
> being accepted by Apache as HTTPS.
>
> For discussion of similar issue when nginx is used as proxy, accepting
> both HTTP and HTTPS, and with Apache/mod_wsgi behind but only
> accepting HTTP, see:
>
> http://groups.google.com/group/modwsgi/browse_frm/thread/94f952720c87...
>
> In short, you need to have proxy front end pass some indication that
> HTTPS was used for original requests and use a WSGI middleware/
> application wrapper check for that flag and reset wsgi.url_scheme to
> correct value based on how request was accepted by the proxy.
>
> Sure someone here can indicate best way of achieving this with Pylons.
>
> Graham
>
> On Dec 22, 9:36 pm, Andre Kolell <[email protected]> wrote:
>
> > I solved the problem regarding redirect_to and SSL by using mod_rewrite to
> > redirect each http-request to https:
>
> > NameVirtualHost *:80
>
> > <virtualhost *:80>
> > RewriteEngine On
> > RewriteCond %{HTTPS} !=on
> > RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> > </virtualhost>
>
> > I'm not sure if this is an adequate solution.
>
> > ----- Ursprüngliche Mail -----
> > Von: "Andre Kolell" <[email protected]>
> > An: [email protected]
> > Gesendet: Freitag, 19. Dezember 2008 16:51:57 GMT +01:00
> > Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
> > Betreff: Problem with redirect_to and SSL
>
> > Hello,
>
> > I'm using Apache with SSL and use it's Proxy functionality to forward
> > requests to the local running Paster (with Pylons 0.9.7rc2). SSL and Links
> > work fine (with Mako). Only when Pylons comes to use the
> > redirect_to-function it always ends up in http- instead of
> > https-Connections. Using protocol='https' as a redirect_to-Parameter only
> > solves my problem at first view, but as I'm developing local without SSL,
> > it's not really a solution.
>
> > I also seems as if request.environ['wsgi.url_scheme'] gives me "http"
> > instead of "https". May be redirect_to uses
> > request.environ['wsgi.url_scheme']?
>
> > Does anyone know why redirect_to doesn't use SSL-Connections and how I can
> > make redirect_to using them?
>
> > Best regards,
> > Andre
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
