[prev in list] [next in list] [prev in thread] [next in thread]
List: nginx
Subject: Re: Incorrect redirect protocol when behind a reverse proxy
From: Glenn Maynard <glenn () zewt ! org>
Date: 2013-07-30 21:26:02
Message-ID: CABirCh8afaGTnLd4W4-+H0_-my5deOT4-DEX9pv98C-Ei6i=Zw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Thu, Jul 25, 2013 at 1:41 PM, Jonathan Matthews
<contact@jpluscplusm.com>wrote:
> I've just got to a box and can ACK that. I can make that stop with a
> correctly configured try_files, which I would always choose to have
> set up, myself. That may not be a solution for you however.
>
> Here's a way I've just tested (on 1.4.2) that forces the
> trailing-slash redirects to incorporate a random HTTP header ("foo",
> here) as their scheme:
>
> # include your boilerplate as per previous email
> location / {
> location ~ "^(.*)[^/]$" {
> rewrite ^ $http_foo://$http_host$uri/ permanent;
> }
> }
>
> Or, supposing you have certain URIs which *can* end in
> not-a-trailing-slash: (also tested on 1.4.2)
>
> location / {
> if (-d $document_root$uri) {
> rewrite ^ $http_foo://$http_host$uri/ permanent;
> }
> }
>
>
> I suppose the question is then: what *other* classes of automatic
> redirects do you find yourself hitting, and can you deterministically
> isolate their URIs using either a location{} or if{}, so that you can
> pre-empt the auto redirect in order to incorporate the
> X-forwarded-proto header?
>
Thanks, I'll give these approaches a try. I don't know where else this
might happen, though. Hopefully at some point I'll be able to say
something like "override_protocol $http_x_forwarded_proto;" to tell nginx
which protocol it's really receiving a request on, since SSL "offloading"
is fairly common these days (http://aws.amazon.com/elasticloadbalancing/,
etc).
--
Glenn Maynard
[Attachment #5 (text/html)]
<div dir="ltr">On Thu, Jul 25, 2013 at 1:41 PM, Jonathan Matthews <span \
dir="ltr"><<a href="mailto:contact@jpluscplusm.com" \
target="_blank">contact@jpluscplusm.com</a>></span> wrote:<br><div \
class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div>I've \
just got to a box and can ACK that. I can make that stop with a<br> </div></div>
correctly configured try_files, which I would always choose to have<br>
set up, myself. That may not be a solution for you however.<br>
<br>
Here's a way I've just tested (on 1.4.2) that forces the<br>
trailing-slash redirects to incorporate a random HTTP header ("foo",<br>
here) as their scheme:<br>
<br>
# include your boilerplate as per previous email<br>
location / {<br>
location ~ "^(.*)[^/]$" {<br>
rewrite ^ $http_foo://$http_host$uri/ permanent;<br>
}<br>
}<br>
<br>
Or, supposing you have certain URIs which *can* end in<br>
not-a-trailing-slash: (also tested on 1.4.2)<br>
<br>
location / {<br>
if (-d $document_root$uri) {<br>
rewrite ^ $http_foo://$http_host$uri/ permanent;<br>
}<br>
}<br>
<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I suppose the question is then: what *other* classes of automatic<br>
redirects do you find yourself hitting, and can you deterministically<br>
isolate their URIs using either a location{} or if{}, so that you can<br>
pre-empt the auto redirect in order to incorporate the<br>
X-forwarded-proto header?<br></blockquote><div><br></div><div style>Thanks, I'll \
give these approaches a try. I don't know where else this might happen, though. \
Hopefully at some point I'll be able to say something like \
"override_protocol $http_x_forwarded_proto;" to tell nginx which protocol \
it's really receiving a request on, since SSL "offloading" is fairly \
common these days (<a \
href="http://aws.amazon.com/elasticloadbalancing/">http://aws.amazon.com/elasticloadbalancing/</a>, \
etc).</div> <div style><br></div></div>-- <br>Glenn Maynard<br><br>
</div></div>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic