HTTPS and redirect function

154 views
Skip to first unread message

Damien Accorsi

unread,
Jan 10, 2010, 10:16:06 AM1/10/10
to turbo...@googlegroups.com
Hi all,

I use TG2 behind an Apache server configured as a reverse proxy and
serving pages through HTTPS. It works fine except that the use of
'redirect' function makes the redirection using HTTP. How can I force
redirect to use HTTPS ?

Currently the Apache server redirect all HTTP queries to HTTPS, so my
system is functionnal but some information are exchanged through HTTP
and I want to avoid this because :
- some information is exchanged without encryption
- there are two redirections in case redirect is used: TG2 send a
redirect to http:///some_url, then the client loads that redirection,
then the apache server tells the client to redirec to to
https://some_url, then the client can get the requested page. This is
quite heavy and useless.

Would the WSGI mode be the solution ? Do I miss something ? Is it a
"missing feature" of TG2 ?

Thanks

Damien

Diez B. Roggisch

unread,
Jan 10, 2010, 11:13:49 AM1/10/10
to turbo...@googlegroups.com
Sounds a bit strange. Redirect usually preserves the protocol & host,
simply because it only redirects to the path.

How exactly do you use redirect ?

Diez

> --
> You received this message because you are subscribed to the Google
> Groups "TurboGears" group.
> To post to this group, send email to turbo...@googlegroups.com.
> To unsubscribe from this group, send email to turbogears+...@googlegroups.com
> .
> For more options, visit this group at http://groups.google.com/group/turbogears?hl=en
> .
>
>

Damien Accorsi

unread,
Jan 10, 2010, 5:31:45 PM1/10/10
to turbo...@googlegroups.com
Diez B. Roggisch wrote:
> Sounds a bit strange. Redirect usually preserves the protocol & host,
> simply because it only redirects to the path.
>
> How exactly do you use redirect ?
I uses it the "normal" way: I have an url which is in charge of
validating a form, then go back to the previous page. "but"... I'll
check tomorrow : I maybe don't use tg.url to create my redirect url.

Damien

Damien Accorsi

unread,
Jan 11, 2010, 5:00:35 AM1/11/10
to turbo...@googlegroups.com
Here is the way I use redirect:

from tg import expose, flash, require, url, request, redirect, validate
[...]
@expose()
@require(predicates.has_permission('AddIpAddress'))
def add_ip_address(self, new_ip_address, new_ip_address_comment="",
came_from='/home', x=0, y=0):
[...]
redirect(came_from)

Note: the form calling this controller action is like(no 'came_from' var
defined):

<form action="/action/add_ip_address">
...
</form>

Damien Accorsi

unread,
Jan 11, 2010, 9:15:21 AM1/11/10
to turbo...@googlegroups.com
Ok. I did some extra tests. All the links are working well with HTTPS. The only problem comes from redirect.

Here is the code I used to process my tests: http://paste.debian.net/56357/

When calling the /action/change url through HTTPS, my browser is redirected to /action/agaga through HTTP.
When calling the /action/agaga url through HTTPS, I get a link to /action/change through HTTPS.

I tried to analyse the HTTP/HTTPS queries using wireshark but HTTPS is encrpyted so I didn't see the content of the HTTPS data :-/

Any Idea ? Nobody's working with redirect on some secured website (e-commerce for example ?) ?

Damien


Damien Accorsi

unread,
Jan 11, 2010, 9:39:48 AM1/11/10
to turbo...@googlegroups.com
Diez B. Roggisch wrote:
> Sounds a bit strange. Redirect usually preserves the protocol & host,
> simply because it only redirects to the path.
It does not. Let's look at
http://docs.turbogears.org/1.0/RedirectHttpsRequests
So... I suppose this is still a "missing feature" in TG2, doesn't it ?

Damien

Damien Accorsi

unread,
Jan 11, 2010, 11:19:55 AM1/11/10
to turbo...@googlegroups.com
I reply to myself.

The solution is the following one :

In my configuration file, I added the 'filter-with' line to [app:main] section : 
[app:main]
...
filter-with = proxy-prefix
And I also added the [filter:proxy-with] section :
[filter:proxy-prefix]
use = egg:PasteDeploy#prefix
prefix = /
scheme = https


damien....@free.fr

unread,
Jan 11, 2010, 7:40:13 PM1/11/10
to turbo...@googlegroups.com
I added a comment about this on the documentation page http://turbogears.org/2.0/docs/main/Deployment/ModProxy.html

Damien

----- Mail Original -----
De: "Damien Accorsi" <damien....@free.fr>
À: turbo...@googlegroups.com
Envoyé: Lundi 11 Janvier 2010 17h19:55 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: [TurboGears] HTTPS and redirect function


Damien Accorsi wrote:

Diez B. Roggisch wrote:

--

Adrian von Bidder

unread,
Jan 12, 2010, 1:00:26 AM1/12/10
to turbo...@googlegroups.com
On Monday 11 January 2010 15.15:21 Damien Accorsi wrote:
> I tried to analyse the HTTP/HTTPS queries using wireshark but HTTPS is
> encrpyted so I didn't see the content of the HTTPS data :-/
>

Just a short tip if you have to do stuff like that often: there are a few
tools (sorry, can't remember the name and I'm offline right now, google
should help you) that act as web proxy which will terminate the SSL
encryption and log all traffic.

Helps debugging web traffic, much more readable than wireshark.

cheers
-- vbi

--
> Maybe that question would be a good starting point: What's the use for
> a gender field there?
Stalking.
-- Miriam Ruiz, Marco d'Itri (im that order)

signature.asc
Reply all
Reply to author
Forward
0 new messages