Problem with redirect_to and SSL
78 views
Skip to first unread message
Andre Kolell
Dec 19, 2008, 10:51:57 AM12/19/08
to pylons-...@googlegroups.com
Hello,
I'm using Apache with SSL and use it's Proxy functionality to forward requests to the local running Paster (with Pylons 0.9.7rc2). SSL and Links work fine (with Mako). Only when Pylons comes to use the redirect_to-function it always ends up in http- instead of https-Connections. Using protocol='https' as a redirect_to-Parameter only solves my problem at first view, but as I'm developing local without SSL, it's not really a solution.
I also seems as if request.environ['wsgi.url_scheme'] gives me "http" instead of "https". May be redirect_to uses request.environ['wsgi.url_scheme']?
Does anyone know why redirect_to doesn't use SSL-Connections and how I can make redirect_to using them?
Best regards,
Andre
Andre Kolell
Dec 22, 2008, 5:36:35 AM12/22/08
to pylons-...@googlegroups.com
I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
NameVirtualHost *:80
<virtualhost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</virtualhost>
I'm not sure if this is an adequate solution.
----- Ursprüngliche Mail -----
Von: "Andre Kolell" <andre....@bluesummit.de>
An: pylons-...@googlegroups.com
Gesendet: Freitag, 19. Dezember 2008 16:51:57 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Problem with redirect_to and SSL
NameVirtualHost *:80
<virtualhost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</virtualhost>
I'm not sure if this is an adequate solution.
----- Ursprüngliche Mail -----
Von: "Andre Kolell" <andre....@bluesummit.de>
An: pylons-...@googlegroups.com
Gesendet: Freitag, 19. Dezember 2008 16:51:57 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Problem with redirect_to and SSL
Graham Dumpleton
Dec 22, 2008, 5:10:35 PM12/22/08
to pylons-discuss
The real problem here is probably because Pylons server is only
accepting HTTP connections and so wsgi.url_scheme in WSGi environment
is always 'http' and doesn't reflect that a connection is originally
being accepted by Apache as HTTPS.
For discussion of similar issue when nginx is used as proxy, accepting
both HTTP and HTTPS, and with Apache/mod_wsgi behind but only
accepting HTTP, see:
http://groups.google.com/group/modwsgi/browse_frm/thread/94f952720c878506
In short, you need to have proxy front end pass some indication that
HTTPS was used for original requests and use a WSGI middleware/
application wrapper check for that flag and reset wsgi.url_scheme to
correct value based on how request was accepted by the proxy.
Sure someone here can indicate best way of achieving this with Pylons.
Graham
On Dec 22, 9:36 pm, Andre Kolell <andre.kol...@bluesummit.de> wrote:
> I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> NameVirtualHost *:80
>
> <virtualhost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} !=on
> RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> </virtualhost>
>
> I'm not sure if this is an adequate solution.
>
> ----- Ursprüngliche Mail -----
> Von: "Andre Kolell" <andre.kol...@bluesummit.de>
accepting HTTP connections and so wsgi.url_scheme in WSGi environment
is always 'http' and doesn't reflect that a connection is originally
being accepted by Apache as HTTPS.
For discussion of similar issue when nginx is used as proxy, accepting
both HTTP and HTTPS, and with Apache/mod_wsgi behind but only
accepting HTTP, see:
http://groups.google.com/group/modwsgi/browse_frm/thread/94f952720c878506
In short, you need to have proxy front end pass some indication that
HTTPS was used for original requests and use a WSGI middleware/
application wrapper check for that flag and reset wsgi.url_scheme to
correct value based on how request was accepted by the proxy.
Sure someone here can indicate best way of achieving this with Pylons.
Graham
On Dec 22, 9:36 pm, Andre Kolell <andre.kol...@bluesummit.de> wrote:
> I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> NameVirtualHost *:80
>
> <virtualhost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} !=on
> RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> </virtualhost>
>
> I'm not sure if this is an adequate solution.
>
> ----- Ursprüngliche Mail -----
Tycon
Dec 23, 2008, 4:07:18 AM12/23/08
to pylons-discuss
Right, when you use a reverse proxy setup, the proxy request is always
http (not https)
even if the original request was https.
Then I set up the web server (nginx in my case) to redirect HTTP
requests that have a "https=on" parameter to HTTPS,
In nginx, you can do it like this:
server {
listen 80;
server_name www.mysite.com;
if ($args ~ https=on) {
rewrite ^(.*)$ https://$server_name$1 redirect;
}
...
Similarly, I redirect from HTTPS to HTTP if there is a "https=off"
parameter in the request URI.
In pylons I verify that a request was originally received as HTTPS by
checking that the "https=on" param is present,
and if it's not then add it and redirect to HTTPS:
def verify_https(request):
if not request.params.get('https')=='on':
params=['%s=%s' % (k,v) for (k,v) in request.params.items() if k!
='https']
params.append('https=on')
redirect_to(str(request.environ['PATH_INFO']+'?'+'&'.join
(params)))
Then, you can write your controller action like this:
class MyController:
def secure(self):
h.verify_https(request)
return 'secured! '
So, if someone tries to access this action using HTTP, there will be
TWO redirects:
first, verify_https() will add the "https=on" param and redirect (to
HTTP), and then the web server will
see that param and redirect again to HTTPS. I'm not sure if it can be
done with a single redirect.
Also you can save one redirect if you create the URL for the secure
action with the "https=on" param already
present (in the link/url you create with url_for)
On Dec 22, 2:10 pm, Graham Dumpleton <Graham.Dumple...@gmail.com>
wrote:
http (not https)
even if the original request was https.
Then I set up the web server (nginx in my case) to redirect HTTP
requests that have a "https=on" parameter to HTTPS,
In nginx, you can do it like this:
server {
listen 80;
server_name www.mysite.com;
if ($args ~ https=on) {
rewrite ^(.*)$ https://$server_name$1 redirect;
}
...
Similarly, I redirect from HTTPS to HTTP if there is a "https=off"
parameter in the request URI.
In pylons I verify that a request was originally received as HTTPS by
checking that the "https=on" param is present,
and if it's not then add it and redirect to HTTPS:
def verify_https(request):
if not request.params.get('https')=='on':
params=['%s=%s' % (k,v) for (k,v) in request.params.items() if k!
='https']
params.append('https=on')
redirect_to(str(request.environ['PATH_INFO']+'?'+'&'.join
(params)))
Then, you can write your controller action like this:
class MyController:
def secure(self):
h.verify_https(request)
return 'secured! '
So, if someone tries to access this action using HTTP, there will be
TWO redirects:
first, verify_https() will add the "https=on" param and redirect (to
HTTP), and then the web server will
see that param and redirect again to HTTPS. I'm not sure if it can be
done with a single redirect.
Also you can save one redirect if you create the URL for the secure
action with the "https=on" param already
present (in the link/url you create with url_for)
On Dec 22, 2:10 pm, Graham Dumpleton <Graham.Dumple...@gmail.com>
wrote:
> The real problem here is probably because Pylons server is only
> accepting HTTP connections and so wsgi.url_scheme in WSGi environment
> is always 'http' and doesn't reflect that a connection is originally
> being accepted by Apache as HTTPS.
>
> For discussion of similar issue when nginx is used as proxy, accepting
> both HTTP and HTTPS, and with Apache/mod_wsgi behind but only
> accepting HTTP, see:
>
> http://groups.google.com/group/modwsgi/browse_frm/thread/94f952720c87...
> accepting HTTP connections and so wsgi.url_scheme in WSGi environment
> is always 'http' and doesn't reflect that a connection is originally
> being accepted by Apache as HTTPS.
>
> For discussion of similar issue when nginx is used as proxy, accepting
> both HTTP and HTTPS, and with Apache/mod_wsgi behind but only
> accepting HTTP, see:
>
Mike Orr
Dec 23, 2008, 4:32:27 AM12/23/08
to pylons-...@googlegroups.com
On Mon, Dec 22, 2008 at 2:36 AM, Andre Kolell
<andre....@bluesummit.de> wrote:
>
> I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> NameVirtualHost *:80
>
> <virtualhost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} !=on
> RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> </virtualhost>
>
> I'm not sure if this is an adequate solution.
<andre....@bluesummit.de> wrote:
>
> I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> NameVirtualHost *:80
>
> <virtualhost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} !=on
> RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> </virtualhost>
>
> I'm not sure if this is an adequate solution.
I use a variation of this and have not had any problems with redirect_to:
<VirtualHost IP:80>
ServerName DOMAIN
RewriteEngine On
RewriteRule /(.*) https://DOMAIN/$1 [R=permanent]
CustomLog /dev/null combined
</VirtualHost>
My main purpose for this is not redirect_to but in case the user tries
to go to the site with http:. But I guess it also solves a problem I
didn't know I had.
The 'RewriteCond %{HTTPS} !=on' is not necessary since you've
specified :80 and port 80 is always HTTP.
--
Mike Orr <slugg...@gmail.com>
Andre Kolell
Jan 4, 2009, 7:53:13 AM1/4/09
to pylons-...@googlegroups.com
Nn my Blog I habe written a complete example for using SSL (in German):
http://blog.andrekolell.de/2008/12/27/ssl-zugriff-auf-pylons-auf-paste-http-server-via-apache-proxy/
----- Ursprüngliche Mail -----
Von: "Mike Orr" <slugg...@gmail.com>
An: pylons-...@googlegroups.com
Gesendet: Dienstag, 23. Dezember 2008 10:32:27 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: Problem with redirect_to and SSL
http://blog.andrekolell.de/2008/12/27/ssl-zugriff-auf-pylons-auf-paste-http-server-via-apache-proxy/
----- Ursprüngliche Mail -----
Von: "Mike Orr" <slugg...@gmail.com>
An: pylons-...@googlegroups.com
Gesendet: Dienstag, 23. Dezember 2008 10:32:27 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: Problem with redirect_to and SSL
Tycon
Jan 4, 2009, 3:51:33 PM1/4/09
to pylons-discuss
you need to set this header in apache so Routes will know that the
original
request was https:
RequestHeader set X_URL_SCHEME https
Use this only in the ssl virtual host so your site will be accessible
either with http or https.
On Jan 4, 4:53 am, Andre Kolell <andre.kol...@bluesummit.de> wrote:
> Nn my Blog I habe written a complete example for using SSL (in German):http://blog.andrekolell.de/2008/12/27/ssl-zugriff-auf-pylons-auf-past...
>
> ----- Ursprüngliche Mail -----
> Von: "Mike Orr" <sluggos...@gmail.com>
original
request was https:
RequestHeader set X_URL_SCHEME https
Use this only in the ssl virtual host so your site will be accessible
either with http or https.
On Jan 4, 4:53 am, Andre Kolell <andre.kol...@bluesummit.de> wrote:
> Nn my Blog I habe written a complete example for using SSL (in German):http://blog.andrekolell.de/2008/12/27/ssl-zugriff-auf-pylons-auf-past...
>
> ----- Ursprüngliche Mail -----
> Von: "Mike Orr" <sluggos...@gmail.com>
> An: pylons-...@googlegroups.com
> Gesendet: Dienstag, 23. Dezember 2008 10:32:27 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
> Betreff: Re: Problem with redirect_to and SSL
>
> On Mon, Dec 22, 2008 at 2:36 AM, Andre Kolell
>
> Gesendet: Dienstag, 23. Dezember 2008 10:32:27 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
> Betreff: Re: Problem with redirect_to and SSL
>
> On Mon, Dec 22, 2008 at 2:36 AM, Andre Kolell
>
> <andre.kol...@bluesummit.de> wrote:
>
> > I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> > NameVirtualHost *:80
>
> > <virtualhost *:80>
> > RewriteEngine On
> > RewriteCond %{HTTPS} !=on
> > RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> > </virtualhost>
>
> > I'm not sure if this is an adequate solution.
>
> I use a variation of this and have not had any problems with redirect_to:
>
> <VirtualHost IP:80>
> ServerName DOMAIN
>
> RewriteEngine On
> RewriteRule /(.*) https://DOMAIN/$1 [R=permanent]
>
> CustomLog /dev/null combined
> </VirtualHost>
>
> My main purpose for this is not redirect_to but in case the user tries
> to go to the site with http:. But I guess it also solves a problem I
> didn't know I had.
>
> The 'RewriteCond %{HTTPS} !=on' is not necessary since you've
> specified :80 and port 80 is always HTTP.
>
> --
> Mike Orr <sluggos...@gmail.com>>
> > I solved the problem regarding redirect_to and SSL by using mod_rewrite to redirect each http-request to https:
>
> > NameVirtualHost *:80
>
> > <virtualhost *:80>
> > RewriteEngine On
> > RewriteCond %{HTTPS} !=on
> > RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
> > </virtualhost>
>
> > I'm not sure if this is an adequate solution.
>
> I use a variation of this and have not had any problems with redirect_to:
>
> <VirtualHost IP:80>
> ServerName DOMAIN
>
> RewriteEngine On
> RewriteRule /(.*) https://DOMAIN/$1 [R=permanent]
>
> CustomLog /dev/null combined
> </VirtualHost>
>
> My main purpose for this is not redirect_to but in case the user tries
> to go to the site with http:. But I guess it also solves a problem I
> didn't know I had.
>
> The 'RewriteCond %{HTTPS} !=on' is not necessary since you've
> specified :80 and port 80 is always HTTP.
>
> --
Reply all
Reply to author
Forward
0 new messages