------------------------------------------------------------------------------
To reply, visit https://hellosplat.com/s/beanbag/tickets/4475/
------------------------------------------------------------------------------
New update by patrickjmccarty
For Beanbag, Inc. > Review Board > Ticket #4475
Reply:
Here's a pared-down sample nginx.conf showing my solution to several
problems I encountered with reverse-proxying Review Board when NGINX is used to
add https encryption. You are welcome to modify/distribute it. Ideally the
Review Board code could be fixed so only the proxy_pass command and some
headers are needed. If the need for the first proxy_redirect were eliminated,
then the nested location block would not be needed either. Review Board (or the
Apache config? I'm not sure since I use Bitnami's installer) ought to read the
X-Forwarded-Proto header or similar to determine which scheme to use for its
application URL redirects. I'm no expert on the right way to do this exactly,
but some other apps I reverse-proxied (eg: Trac) did not require a
proxy_redirect.
http {
# logging and SSL settings not shown...
# Redirect http requests to https.
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
# Some of these headers are probably only needed by other apps.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass_header Server;
location /reviewboard {
proxy_pass http://127.0.0.1:11000;
# This is needed to keep the original scheme that the user requested
(https), by rewriting redirect URLs.
# Otherwise, when Review Board sends a redirect such as to add a
slash at the end of a URL, it will send us from https to http.
# eg: https://example.com/reviewboard/dashboard does a 302 redirect
to http://example.com/reviewboard/dashboard/
proxy_redirect http:// $scheme://;
# Rewrite the path of the csrftoken cookie from / to /reviewboard/
and add the Secure and HttpOnly settings.
proxy_cookie_path ~^/$ "/reviewboard/;Secure;HttpOnly";
# Rewrite the rbsessionid cookie with the same path, but add the
Secure setting. HttpOnly setting is already set correctly.
proxy_cookie_path ~^/reviewboard/$ "/reviewboard/;Secure";
# This block is the solution I came up with for the issue experienced
in ticket #4475.
# Don't rewrite http to https for the redirect to the Custom Support
URL ('Support > Get Support' link).
location /reviewboard/support/ {
proxy_pass http://127.0.0.1:11000; # Must duplicate same as above
because proxy_pass command is not inherited.
proxy_redirect off; # Revert to the default of not rewriting
redirects.
}
}
}
}
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/d/optout.
