SSL when behind a proxy

[Stefan Adams]

I start my app on non-SSL only as the SSL is happening at the proxy and the proxy passes to the non-SSL app.  Now the auto-route generation (e.g. url_for) gives me a URL of ws://... instead of the needed wss://... and so I get this error in the browser:

Mixed Content: The page at 'https://.../' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://.../pals'. This request has been blocked; this endpoint must be available over WSS.

How can I have url_for (to_abs) create me a URL on SSL when the app itself isn't aware that SSL is available?

[Dan Book]

Unfortunately the presence of SSL is only really indicated by the X-Forwarded-Proto header which is set to https. This tells Mojo::Message::Request that the request was proxied from https (if the hypnotoad proxy setting or MOJO_REVERSE_PROXY is enabled), but doesn't say anything about the ws protocol. I think you'll have to do something manually.

--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscribe@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.

[Stefan Adams]

Oh got it, so this is unique to ws, and the proxy flag solves the problem for http, just not ws. Thanks! Theoretically, is that something that Mojo could address? If it can do it for http, can it theoretically do it for ws?

[Dan Book]

The X-Forwarded-Proto header is set by the server which is proxying to Mojo. That server knows it is receiving https and proxying it, but those requests aren't using the ws protocol yet so it doesn't know it should use wss. There would either need to be logic that looks for a X-Forwarded-Proto of https and converts any ws: to wss:, or just hardcode the wss: in your template/set the scheme manually (what I have done so far). For example url_for(...)->to_abs->scheme('wss).

[Stefan Adams]

On Wed, Aug 10, 2016 at 12:09 PM, Dan Book <gri...@gmail.com> wrote:

For example url_for(...)->to_abs->scheme('wss).

Perfectly what I was looking for!  Thanks!!

I do think it would be super if Mojo accounted for that in the framework...!  :D  Mojo team, would you accept a PR for this?

[sri]

The X-Forwarded-Proto header is set by the server which is proxying to Mojo. That server knows it is receiving https and proxying it, but those requests aren't using the ws protocol yet so it doesn't know it should use wss. There would either need to be logic that looks for a X-Forwarded-Proto of https and converts any ws: to wss:, or just hardcode the wss: in your template/set the scheme manually (what I have done so far). For example url_for(...)->to_abs->scheme('wss).

That code exists.

    https://github.com/kraih/mojo/blob/24ce94ca44abfb38c3bf1267f2df9d1c1d611d44/lib/Mojolicious/Controller.pm#L319

--

sebastian 

[Stefan Adams]

Thank you, Dan and Sebastian!!  Thanks for the link to the code line, that helped me to understand that my nginx config file was missing this directive in the server {} container for my virtual host:

proxy_set_header X-Forwarded-Proto $scheme;

Boy that makes things easy!!!  :D

(Dan, clearly your message indicated that this was necessary, but my misunderstanding of your message was that nginx does this by way of normal behavior, not that the declaration was needed to be explicitly defined in my config.)

--

[Charlie Brady]

On Thu, 11 Aug 2016, Stefan Adams wrote:

> Thank you, Dan and Sebastian!! Thanks for the link to the code line, that
> helped me to understand that my nginx config file was missing this
> directive in the server {} container for my virtual host:
>
> proxy_set_header X-Forwarded-Proto $scheme;

Note that RFC 7239 "Forwarded HTTP Extension" suggests "Forwarded:
proto=https" (or rather "Forwarded: .*proto=https.*").