Idiomatic lift way to make sure users are connecting via https rather than http?

[Jonathan Ferguson]

Dear Liftafarians,

I am assuming it is a custom LocParam applied to all menu items of the sitemap. Thought I'd ask as someone may have a better solution.

Please ignore the temptation to suggest doing it in another layer of the application stack as this isn't possible.

Cheers 

Jono

[Damian Helme]

Would something like this work?

    LiftRules.earlyResponse.append((r: Req ) => if (r.request.scheme != "https") Full(NotFoundResponse("https only")) else Empty)

[David Whittaker]

I agree with Damian.  Just wanted  to say that Liftafarians should absolutely be the official designation applied to all who inhabit Liftland :)

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

[Gilberto Garcia]

lol. +1 for Liftafarians

[David Pollak]

On Wed, Jun 13, 2012 at 7:37 AM, David Whittaker <da...@iradix.com> wrote:

I agree with Damian.  Just wanted  to say that Liftafarians should absolutely be the official designation applied to all who inhabit Liftland :)

+1

 

On Wed, Jun 13, 2012 at 9:04 AM, Damian Helme <damia...@gmail.com> wrote:

Would something like this work?

    LiftRules.earlyResponse.append((r: Req ) => if (r.request.scheme != "https") Full(NotFoundResponse("https only")) else Empty)

On Wednesday, 13 June 2012 07:47:20 UTC+1, Jonathan Ferguson wrote:

Dear Liftafarians,

I am assuming it is a custom LocParam applied to all menu items of the sitemap. Thought I'd ask as someone may have a better solution.

Please ignore the temptation to suggest doing it in another layer of the application stack as this isn't possible.

Cheers 

Jono

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

--

Telegram, Simply Beautiful CMS https://telegr.am

Lift, the simply functional web framework http://liftweb.net

Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im

[David Pollak]

So... the problem is that if you're running behind a proxy (e.g., Nginx), it's not possible to determine if the original request was HTTPS.  That would be something you'd have to configure in your front end proxy.

 

Cheers 

Jono

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

--

[Jonathan Ferguson]

On Thursday, June 14, 2012 3:58:30 AM UTC+10, David Pollak wrote:

On Tue, Jun 12, 2012 at 11:47 PM, Jonathan Ferguson <jo...@spiralarm.com> wrote:

Dear Liftafarians,

I am assuming it is a custom LocParam applied to all menu items of the sitemap. Thought I'd ask as someone may have a better solution.

Please ignore the temptation to suggest doing it in another layer of the application stack as this isn't possible.

So... the problem is that if you're running behind a proxy (e.g., Nginx), it's not possible to determine if the original request was HTTPS.  That would be something you'd have to configure in your front end proxy.

We don't have access to the front end proxy. 

[Jeppe Nejsum Madsen]

On Thu, Jun 14, 2012 at 8:50 AM, Jonathan Ferguson <jo...@spiralarm.com> wrote:
>
>
> On Thursday, June 14, 2012 3:58:30 AM UTC+10, David Pollak wrote:
>>
>>
>>
>> On Tue, Jun 12, 2012 at 11:47 PM, Jonathan Ferguson <jo...@spiralarm.com>
>> wrote:
>>>
>>> Dear Liftafarians,
>>>
>>> I am assuming it is a custom LocParam applied to all menu items of the
>>> sitemap. Thought I'd ask as someone may have a better solution.
>>>
>>> Please ignore the temptation to suggest doing it in another layer of the
>>> application stack as this isn't possible.
>>
>>
>> So... the problem is that if you're running behind a proxy (e.g., Nginx),
>> it's not possible to determine if the original request was HTTPS.  That
>> would be something you'd have to configure in your front end proxy.
>
>
>
> We don't have access to the front end proxy.

Then, depending on the setup, you may be out of luck. Often, for
performance reasons, the ssl connection is terminated on the proxy and
internal traffic is http.

In this case it is normal for the proxy to set a header (e.g.
X-Forwarded-Protocol) to indicate the protocol of the original
request.

/Jeppe

[Christoph Knabe]

Am Donnerstag, 14. Juni 2012 08:50:05 UTC+2 schrieb Jonathan Ferguson:

We don't have access to the front end proxy. 

 

I just tried to figure out https access to Tomcat 6 on Debian. So I came across the following page:
 
   http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Common_Attributes

There is described how to configure a Connector for https, if Tomcat is managing this himself. Look at the XML attribute

"secure

Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received by this Connector. You would want this on an SSL Connector or a non SSL connector that is receiving data from a SSL accelerator, like a crypto card, a SSL appliance or even a webserver. The default value is false."

From this I conclude, that the class HttpServletRequest in the Servlet API offers a method to test, if you are using a secure connection. If your proxy frontend is configured correctly, we can hope, that it passes the information about a secure connection to the servlet container.

How to get access to the request object from Lift I described in an article about Container Managed Security.

[Jonathan Ferguson]

Hello again, 

The following is working on Cloud bees: 

    

if (Props.productionMode) {

      LiftRules.earlyResponse.append((req: Req) ⇒ if (req.request.scheme != "https") {

        Full(PermRedirectResponse("https://%s%s".format(req.request.serverName, req.request.uri), req, req.cookies: _*))

      } else { Empty })

    }

Thank you for your advice and I swear I read the lift docs before asking the question :)

Cheers 

Jono

[David Pollak]

On Thu, Jun 28, 2012 at 9:58 AM, RandomCoder <rando...@randomcoding.co.uk> wrote:

I have tried the following on Cloud Foundry and get a permanent redirect error

The logger line seems to show about 10-15 lines showing redirecting from http://... to https://... which seems to indicate that the redirect is not being followed.

if (Props.productionMode) {
  LiftRules.earlyResponse.append((req: Req) => if (req.request.scheme != "https") {
    logger.info("Redirecting from %s://%s%s to https://%s%s).format(req.request.scheme, req.request.serverName, req.request.uri, req.request.serverName, 
      req.request.uri))

    Full(PermRedirectResponse("https://%s%s".format(req.request.serverName, req.request.uri), req, req.cookies: _*))
  }
  else {
    Empty
  })
}

Any Ideas?

It's most likely that the request is behind a proxy so that by the time Jetty/Tomcat/Glassfish sees it, it looks like an http request.

 

Cheers

RC

--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code