[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nginx
Subject:    Re: Incorrect redirect protocol when behind a reverse proxy
From:       Glenn Maynard <glenn () zewt ! org>
Date:       2013-07-30 21:26:02
Message-ID: CABirCh8afaGTnLd4W4-+H0_-my5deOT4-DEX9pv98C-Ei6i=Zw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Thu, Jul 25, 2013 at 1:41 PM, Jonathan Matthews
<contact@jpluscplusm.com>wrote:

> I've just got to a box and can ACK that. I can make that stop with a
> correctly configured try_files, which I would always choose to have
> set up, myself. That may not be a solution for you however.
>
> Here's a way I've just tested (on 1.4.2) that forces the
> trailing-slash redirects to incorporate a random HTTP header ("foo",
> here) as their scheme:
>
> # include your boilerplate as per previous email
> location / {
>   location ~ "^(.*)[^/]$" {
>     rewrite ^ $http_foo://$http_host$uri/ permanent;
>   }
> }
>
> Or, supposing you have certain URIs which *can* end in
> not-a-trailing-slash: (also tested on 1.4.2)
>
> location / {
>   if (-d $document_root$uri) {
>     rewrite ^ $http_foo://$http_host$uri/ permanent;
>   }
> }
>
>

> I suppose the question is then: what *other* classes of automatic
> redirects do you find yourself hitting, and can you deterministically
> isolate their URIs using either a location{} or if{}, so that you can
> pre-empt the auto redirect in order to incorporate the
> X-forwarded-proto header?
>

Thanks, I'll give these approaches a try.  I don't know where else this
might happen, though.  Hopefully at some point I'll be able to say
something like "override_protocol $http_x_forwarded_proto;" to tell nginx
which protocol it's really receiving a request on, since SSL "offloading"
is fairly common these days (http://aws.amazon.com/elasticloadbalancing/,
etc).

-- 
Glenn Maynard

[Attachment #5 (text/html)]

<div dir="ltr">On Thu, Jul 25, 2013 at 1:41 PM, Jonathan Matthews <span \
dir="ltr">&lt;<a href="mailto:contact@jpluscplusm.com" \
target="_blank">contact@jpluscplusm.com</a>&gt;</span> wrote:<br><div \
class="gmail_extra"><div class="gmail_quote">

<blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div>I&#39;ve \
just got to a box and can ACK that. I can make that stop with a<br> </div></div>
correctly configured try_files, which I would always choose to have<br>
set up, myself. That may not be a solution for you however.<br>
<br>
Here&#39;s a way I&#39;ve just tested (on 1.4.2) that forces the<br>
trailing-slash redirects to incorporate a random HTTP header (&quot;foo&quot;,<br>
here) as their scheme:<br>
<br>
# include your boilerplate as per previous email<br>
location / {<br>
   location ~ &quot;^(.*)[^/]$&quot; {<br>
      rewrite ^ $http_foo://$http_host$uri/ permanent;<br>
   }<br>
}<br>
<br>
Or, supposing you have certain URIs which *can* end in<br>
not-a-trailing-slash: (also tested on 1.4.2)<br>
<br>
location / {<br>
   if (-d $document_root$uri) {<br>
      rewrite ^ $http_foo://$http_host$uri/ permanent;<br>
   }<br>
}<br>
<br></blockquote><div>  </div><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 I suppose the question is then: what *other* classes of automatic<br>
redirects do you find yourself hitting, and can you deterministically<br>
isolate their URIs using either a location{} or if{}, so that you can<br>
pre-empt the auto redirect in order to incorporate the<br>
X-forwarded-proto header?<br></blockquote><div><br></div><div style>Thanks, I&#39;ll \
give these approaches a try.   I don&#39;t know where else this might happen, though. \
Hopefully at some point I&#39;ll be able to say something like \
&quot;override_protocol $http_x_forwarded_proto;&quot; to tell nginx which protocol \
it&#39;s really receiving a request on, since SSL &quot;offloading&quot; is fairly \
common these days (<a \
href="http://aws.amazon.com/elasticloadbalancing/">http://aws.amazon.com/elasticloadbalancing/</a>, \
etc).</div> <div style><br></div></div>-- <br>Glenn Maynard<br><br>
</div></div>



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic