Kotti issue with https on Webfaction

16 views
Skip to first unread message

Propadovic Nenad

unread,
Jun 5, 2016, 6:48:05 AM6/5/16
to Kotti
Hello guys,
I was quite proud to get Kotti running on Webfaction (webfaction.com) the other day, as this was not trivial.
However, right after that I got an issue I was not able to resolve until now: at login I  get a "405 Not Allowed" from nginx.
I was fairly sure this is related to using https , as, trying the same kotti installation with http, I did not get the issue. (But I want to stick with https ).
The webfaction support, after some testing, issued the assumption that it's not about the http, abut about the url ending with "/@@login" instead of "/@@login/", as there's a known issue with nginx, which was supposed to get resolved by adding the "/" to the url...
So I hacked the source in login.py and added the "/" to the url. And I see "/@@login/" in my browser now, at the end of the URL.
This, however, did not solve the initial issue. I assume the reason is that the url after login does not contain "https://" at the beginning (it does not have "http://" either).
So I tried prepending "https://" to the URL (in the same line of code where I added "/" at the end), but then I got a funny "https://http//" at the beginning instead (obviously, still not able to log in).
So I humbly ask for help.
Is there a way to tell Kotti to prepend "https://" instead of "http://"?
Is this even the right solution?
As you might guess, I'm experienced at Python, but quite a beginner at Kotti/Pyramid or even web development.
Thanx in advance,
regards,
Nenad

Propadovic Nenad

unread,
Jun 5, 2016, 7:00:16 AM6/5/16
to Kotti
To add an assumption: I think this is somehow related to Kotti not even knowing that it is served with https. I think so, as I see that the url behind the menue antry (Yet another Kotti site) is: "http://mypyramid.propad.webfactional.com/", and when I click on it, i get nowhere ("Coming soon: Another fine website hosted by WebFaction")...

Thanx again!

Propadovic Nenad

unread,
Jun 5, 2016, 12:44:52 PM6/5/16
to Kotti
After I informed Webfaction that Kotti does not seem to see that it is served via https, they found the solution. I'm allowed to forward it to you:

"After looking a bit around the code I've tracked this down to the _partial_application_url function at line 78 of the /webapps/
pyramidapp/lib/python2.7/site-packages/pyramid/url.py

The url_scheme value is not loading correctly there and defaults to http instead of https.

Here's what the project's documentation says about it:

    default wsgi.url_scheme value (string), default http; can be overridden per-request by the value of the X_FORWARDED_PROTO header, but only if the client address matches trusted_proxy.

Our nginx correctly sets the X_FORWARDED_PROTO header to https, but it looks like your backend server ignores it, so I've set the trusted_proxy value to nginx's address as per the above line in your development.ini file and it looks like it is working now.
"
And it does work.

From their answer I read both that they think Kotti should recognize it is served behind https, but it does not, and that this is Kotti (or Pyramid) want it to be: no https without stating the trusted proxy.

I'm frankly too new to web development to have an opinion; and I don't care any more - it works for me now. But I forwarded their comment so that somebody can take action, if someone is interested.

Please feel free to ask questions about the issue, if someone is interested.

Regards,

Nenad

Andreas Kaiser

unread,
Jun 6, 2016, 5:23:09 AM6/6/16
to Kotti
On 5 Jun 2016, at 18:44, Propadovic Nenad wrote:

> Our nginx correctly sets the X_FORWARDED_PROTO header to https, but it
> looks like your backend server ignores it, so I've set the
> trusted_proxy
> value to nginx's address as per the above line in your development.ini
> file
> and it looks like it is working now.
>
> From their answer I read both that they think Kotti should recognize
> it is
> served behind https, but it does not, and that this is Kotti (or
> Pyramid)
> want it to be: no https without stating the trusted proxy.

I've never needed to do this. This is an excerpt of a nginx
configuration for a Kotti site served with waitress behind nginx over
HTTPS (which should be quite similar to what you do / Webfaction does):

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

> Am Sonntag, 5. Juni 2016 13:00:16 UTC+2 schrieb Propadovic Nenad:
>>
>> To add an assumption: I think this is somehow related to Kotti not
>> even
>> knowing that it is served with https.

Right. It doesn't need to. See below.

>> I think so, as I see that the url
>> behind the menue antry (Yet another Kotti site) is: "
>> http://mypyramid.propad.webfactional.com/", and when I click on it, i
>> get
>> nowhere ("Coming soon: Another fine website hosted by WebFaction
>> <http://www.webfaction.com/>")...
You should never do anything like that. Kotti uses Pyramid's
request.resource_url(context, ....) method to generate URLs. If the
generated URLs are not what you expect them to be, it's safe to assume
that there is a problem with your web server configuration.

>>> Is there a way to tell Kotti to prepend "https://" instead of
>>> "http://"?

Please note that all of this is plain Pyramid. Kotti itself does
absolutely nothing w.r.t. URL generation, it only uses Pyramid for that.


HTH,

Andreas

Propadovic Nenad

unread,
Jun 6, 2016, 4:03:59 PM6/6/16
to Kotti
Hello Andreas,

thank you for answering.

I'm in the meanwhile playing around with my Kotti based blog, and I expect to have a lot of fun with it.

Thanx for this great software!

Regards,

Nenad



Am Sonntag, 5. Juni 2016 12:48:05 UTC+2 schrieb Propadovic Nenad:
Reply all
Reply to author
Forward
0 new messages