X-Forwarded-Proto / X_FORWARDED_PROTO

John-Paul Bader hukl at berlin.ccc.de
Sun Jan 10 06:43:55 EST 2010


Hey Guys,

I posted my setup before but for this thread I'll do it again.

For http I have: varnish(80) -> nginx(8080) -> unicorn

And for https: nginx(443) -> varnish(80) -> nginx(8080) -> unicorn

Nginx has these proxy settings for the 443 vhost: 

location / {
      …
      access_log         off;
      proxy_redirect     off;
      proxy_pass         http://www.ccc.de;
      proxy_set_header   X-Real-IP  $remote_addr;
      proxy_set_header   X-FORWARDED-PROTO https;
    }
…

So I explicitly set this header. This way varnish(80), nginx(8080), unicorn and ultimately rails will get this Header and know that this was a https request. This works for me perfectly and maybe that is helpful for you ? If not never mind ;)

After all this header is a non standard extension introduced by squid. Theres a nice wikipedia page about it: http://en.wikipedia.org/wiki/X-Forwarded-For

Kind regards, John


On 10.01.2010, at 07:32, Eric Wong wrote:

> Eric Wong <normalperson at yhbt.net> wrote:
>> Iñaki Baz Castillo <ibc at aliax.net> wrote:
>>> In your case it seems valid for me (just an opinnion) as 
>>> "HTTP_X_FORWARDED_PROTO: http,https" could mean that the request has been sent 
>>> using HTTPS and an intermediary proxy has forwarded it using HTTP. Of course 
>>> the final destination (Unicorn application) must be ready to support such 
>>> syntax.
>> 
>> Is it safe to say that if there's an "https" *anywhere* in the
>> X-Forwarded-Proto chain, that "rack.url_scheme" should be set to
>> "https"?   Because I suppose most of the time there's only one
>> (client-facing) proxy using https.
> 
> Maybe this will work...
> 
> diff --git a/ext/unicorn_http/global_variables.h b/ext/unicorn_http/global_variables.h
> index e593cf6..6705851 100644
> --- a/ext/unicorn_http/global_variables.h
> +++ b/ext/unicorn_http/global_variables.h
> @@ -74,7 +74,6 @@ void init_globals(void)
>   DEF_GLOBAL(server_name, "SERVER_NAME");
>   DEF_GLOBAL(server_port, "SERVER_PORT");
>   DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
> -  DEF_GLOBAL(http_x_forwarded_proto, "HTTP_X_FORWARDED_PROTO");
>   DEF_GLOBAL(port_80, "80");
>   DEF_GLOBAL(port_443, "443");
>   DEF_GLOBAL(localhost, "localhost");
> diff --git a/ext/unicorn_http/unicorn_http.rl b/ext/unicorn_http/unicorn_http.rl
> index 6232e2c..f3945b2 100644
> --- a/ext/unicorn_http/unicorn_http.rl
> +++ b/ext/unicorn_http/unicorn_http.rl
> @@ -197,6 +197,14 @@ static void write_value(VALUE req, struct http_parser *hp,
>     assert_frozen(f);
>   }
> 
> +  /*
> +   * any X-Forwarded-Proto: https means there's an https server in the
> +   * proxy chain, and that server is most likely the one that actually
> +   * sees the client, so help Rack apps generate URLs with "https"
> +   */
> +  if (f == g_http_x_forwarded_proto && STR_CSTR_EQ(v, "https"))
> +    rb_hash_aset(req, g_rack_url_scheme, v);
> +
>   e = rb_hash_aref(req, f);
>   if (NIL_P(e)) {
>     hp->cont = rb_hash_aset(req, f, v);
> @@ -393,12 +401,7 @@ static void finalize_header(struct http_parser *hp, VALUE req)
> 
>   /* set rack.url_scheme to "https" or "http", no others are allowed by Rack */
>   if (NIL_P(temp)) {
> -    temp = rb_hash_aref(req, g_http_x_forwarded_proto);
> -    if (!NIL_P(temp) && STR_CSTR_EQ(temp, "https"))
> -      server_port = g_port_443;
> -    else
> -      temp = g_http;
> -    rb_hash_aset(req, g_rack_url_scheme, temp);
> +    rb_hash_aset(req, g_rack_url_scheme, g_http);
>   } else if (STR_CSTR_EQ(temp, "https")) {
>     server_port = g_port_443;
>   } else {
> @@ -712,5 +715,6 @@ void Init_unicorn_http(void)
>   SET_GLOBAL(g_http_transfer_encoding, "TRANSFER_ENCODING");
>   SET_GLOBAL(g_content_length, "CONTENT_LENGTH");
>   SET_GLOBAL(g_http_connection, "CONNECTION");
> +  SET_GLOBAL(g_http_x_forwarded_proto, "X_FORWARDED_PROTO");
> }
> #undef SET_GLOBAL
> -- 
> Eric Wong
> _______________________________________________
> Unicorn mailing list - mongrel-unicorn at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-unicorn
> Do not quote signatures (like this one) or top post when replying
> 



More information about the mongrel-unicorn mailing list