Authentication redirection problem

[Moritz Schlarb]

I was sure I had already read something about that error, but I'm unable to find it...

I wanted to deploy a development version of my application on another port at the Apache proxy frontend.

So I added a https-only VirtualHost on Port 8088 and configured the ProxyPass directives accordingly.

It works, but on some point I get redirected to the login page and then the protocol does not preserve the https.

curl gives me this:

$ curl -I https://sauce.zdv.uni-mainz.de:8088/events/eip12/lessons/2

HTTP/1.1 302 Found

Date: Mon, 21 May 2012 13:18:02 GMT

Server: PasteWSGIServer/0.5 Python/2.7.2+

Content-Type: text/html; charset=UTF-8

Location: http://sauce.zdv.uni-mainz.de:8088/login?came_from=http%3A%2F%2Fsauce.zdv.uni-mainz.de%3A8088%2Fevents%2Feip12%2Flessons%2F2

Set-Cookie: webflash=%7B%22status%22%3A%20%22warning%22%2C%20%22message%22%3A%20%22You%20have%20no%20permission%20to%20manage%20Lessons%20for%20this%20Event%22%7D; Path=/

Vary: Accept-Encoding

You see, the redirection goes to plain http.

(I've checked, the issue also occurs when I get redirected to the login page on the normal instance, but since I do a redirection to the https protocol in Apache, it is not bad there.)

How can I make repoze.who redirect to the correct protocol?

Cheers,

Moritz

[Alessandro Molina]

The redirection is created using the protocol that has been used to
fetch the request.
As APACHE is probably fetching the answer from Paste using HTTP and
not HTTPS you get the redirection as HTTP.

You should add to your application a middleware that does something like:

environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME', 'http')
or
if environ['HTTP_X_PROXY_HOST'].split(':')[1] == '443':
environ['wsgi.url_scheme'] = 'https'

depending on which headers apache is setting on proxy.
The point is that you have to detect if the original request was HTTPS
or not and set url_scheme accordingly.

> --
> You received this message because you are subscribed to the Google Groups
> "TurboGears" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/turbogears/-/x6RRuAtVH8oJ.
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to
> turbogears+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/turbogears?hl=en.

[Moritz Schlarb]

Thanks, Alessandro,

For future references, I'd like to add, that you have to tell the proxying Apache to set that header.

Therefore add the following line to the Apache proxy config:

RequestHeader set X_URL_SCHEME https

Then you can use

environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME',  'http') 

Cheers,

Moritz

> turbogears+unsubscribe@googlegroups.com.

[Moritz Schlarb]

Sadly, the issue reappeared, out of nowhere...

But not at the point where repoze.what-1.0.9 redirects you to the login page, but on the login_handler page from repoze.who-1.0.19 ...

$ curl -v -d 'username=user&password=pass' https://sauce.zdv.uni-mainz.de:8088/login_handler

> POST /login_handler HTTP/1.1

> User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0 GnuTLS/2.12.18 zlib/1.2.5

> Host: sauce.zdv.uni-mainz.de:8088

> Accept: */*

> Content-Length: 42

> Content-Type: application/x-www-form-urlencoded

>

* upload completely sent off: 42 out of 42 bytes

< HTTP/1.1 302 Found

< Date: Thu, 31 May 2012 20:17:50 GMT

< Server: PasteWSGIServer/0.5 Python/2.7.2+

< Location: http://sauce.zdv.uni-mainz.de:8088/post_login?__logins=0

< Content-Length: 295

< Content-Type: text/html; charset=UTF-8

< Vary: Accept-Encoding

<

<html>

 <head>

  <title>302 Found</title>

 </head>

 <body>

  <h1>302 Found</h1>

  The resource was found at <a href="http://sauce.zdv.uni-mainz.de:8088/post_login?__logins=0">http://sauce.zdv.uni-mainz.de:8088/post_login?__logins=0</a>;

you should be redirected automatically.

 </body>

</html>

I change nothing on the settings regarding the wsgi.url_scheme...

Any ideas?

Am Montag, 21. Mai 2012 23:34:09 UTC+2 schrieb Moritz Schlarb:

Thanks, Alessandro,

For future references, I'd like to add, that you have to tell the proxying Apache to set that header.

Therefore add the following line to the Apache proxy config:

RequestHeader set X_URL_SCHEME https

Then you can use

environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME',  'http') 

Cheers,

Moritz

Am Montag, 21. Mai 2012 16:11:55 UTC+2 schrieb Alessandro Molina:

The redirection is created using the protocol that has been used to
fetch the request.
As APACHE is probably fetching the answer from Paste using HTTP and
not HTTPS you get the redirection as HTTP.

You should add to your application a middleware that does something like:

      environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME',  'http')
or
      if environ['HTTP_X_PROXY_HOST'].split(':')[1] == '443':
        environ['wsgi.url_scheme'] = 'https'

depending on which headers apache is setting on proxy.
The point is that you have to detect if the original request was HTTPS
or not and set url_scheme accordingly.

[Alessandro Molina]

That is strange as repoze.who.friendlyform uses webob.path_url to
generate the redirect and req.path_url uses wsgi.url_scheme to create
the ending url.
So it should behave exactly like the other redirects.

Try to place a middleware around your application to print out the
value of req.path_url just before the redirect is built, it might be
helpful to understand what is happening.

>>> > turbogears+...@googlegroups.com.

>>> > For more options, visit this group at
>>> > http://groups.google.com/group/turbogears?hl=en.
>

> --
> You received this message because you are subscribed to the Google Groups
> "TurboGears" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/turbogears/-/Ic-IXyVz3wMJ.

>
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to

> turbogears+...@googlegroups.com.

[Moritz Schlarb]

Hm, could it be that setting environ['wsgi.url_scheme'] in BaseController is too late for repoze.who?

So that I would have to create a Middleware that is inserted above repoze.who in the request stack...

>>> > turbogears+unsubscribe@googlegroups.com.

>>> > For more options, visit this group at
>>> > http://groups.google.com/group/turbogears?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "TurboGears" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/turbogears/-/Ic-IXyVz3wMJ.
>
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to

> turbogears+unsubscribe@googlegroups.com.

[Moritz Schlarb]

Yep, that did the trick!

For future reference:

class MyMiddleware(object):

    '''WSGI Middleware wrapper'''

    def __init__(self, app, *args, **kwargs):

        self.app = app

    def __call__(self, environ, response):

        # Set the correct originating url_scheme even if behind a proxy

        # The Apache config needs the following line to set this header:

        # RequestHeader set X_URL_SCHEME https

        environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME', 'http')

        return self.app(environ, response)

def make_app(global_conf, full_stack=True, **app_conf):

    app = make_base_app(global_conf, full_stack=True, **app_conf)

    app = MyMiddleware(app)

    return app