To reply, visit https://hellosplat.com/s/beanbag/tickets/4475/

New update by patrickjmccarty
For Beanbag, Inc. > Review Board > Ticket #4475


    Here's a pared-down sample nginx.conf showing my solution to several 
problems I encountered with reverse-proxying Review Board when NGINX is used to 
add https encryption. You are welcome to modify/distribute it. Ideally the 
Review Board code could be fixed so only the proxy_pass command and some 
headers are needed. If the need for the first proxy_redirect were eliminated, 
then the nested location block would not be needed either. Review Board (or the 
Apache config? I'm not sure since I use Bitnami's installer) ought to read the 
X-Forwarded-Proto header or similar to determine which scheme to use for its 
application URL redirects. I'm no expert on the right way to do this exactly, 
but some other apps I reverse-proxied (eg: Trac) did not require a 
    http {
      # logging and SSL settings not shown...
      # Redirect http requests to https.
      server {
        listen 80;
        server_name example.com;
        return 301 https://example.com$request_uri;
      server {
        listen 443 ssl;
        server_name example.com;
        # Some of these headers are probably only needed by other apps.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_pass_header Server;
        location /reviewboard {
          # This is needed to keep the original scheme that the user requested 
(https), by rewriting redirect URLs.
          # Otherwise, when Review Board sends a redirect such as to add a 
slash at the end of a URL, it will send us from https to http.
          # eg: https://example.com/reviewboard/dashboard does a 302 redirect 
to http://example.com/reviewboard/dashboard/
          proxy_redirect http:// $scheme://;
          # Rewrite the path of the csrftoken cookie from / to /reviewboard/ 
and add the Secure and HttpOnly settings.
          proxy_cookie_path ~^/$ "/reviewboard/;Secure;HttpOnly";
          # Rewrite the rbsessionid cookie with the same path, but add the 
Secure setting. HttpOnly setting is already set correctly.
          proxy_cookie_path ~^/reviewboard/$ "/reviewboard/;Secure";
          # This block is the solution I came up with for the issue experienced 
in ticket #4475.
          # Don't rewrite http to https for the redirect to the Custom Support 
URL ('Support > Get Support' link).
          location /reviewboard/support/ {
            proxy_pass; # Must duplicate same as above 
because proxy_pass command is not inherited.
            proxy_redirect off;  # Revert to the default of not rewriting 

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at https://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/d/optout.

Reply via email to