Skip to content

Commit

Permalink
Fix check for https in ConnectionOrigin (#15468)
Browse files Browse the repository at this point in the history 
This commit adds a header key to indicate whether nginx has
flagged the session as https.
  • Loading branch information
@anodos325
anodos325 authored Jan 23, 2025
1 parent b7f0128 commit 1b71ee8
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
9 changes: 9 additions & 0 deletions src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
Expand All @@ -218,6 +219,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Expand Down Expand Up @@ -258,6 +260,7 @@ http {
}
# `allow`/`deny` are not allowed in `if` blocks so we'll have to make that check in the middleware itself.
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Https $https;

add_header Cache-Control "must-revalidate";
add_header Etag "${system_version}";
Expand All @@ -274,6 +277,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Expand All @@ -285,6 +289,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_send_timeout 7d;
Expand All @@ -299,6 +304,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Server-Port $server_port;
Expand All @@ -310,6 +316,7 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_read_timeout 10m;
}

Expand All @@ -322,13 +329,15 @@ http {
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
}

location /_plugins {
proxy_pass http://127.0.0.1:6000/_plugins;
proxy_http_version 1.1;
proxy_set_header X-Real-Remote-Addr $remote_addr;
proxy_set_header X-Real-Remote-Port $remote_port;
proxy_set_header X-Https $https;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
Expand Down
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/utils/origin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ def get_tcp_ip_info(sock, request) -> tuple:
# 0 (root) or 33 (www-data (nginx forks workers))
ra = request.headers["X-Real-Remote-Addr"]
rp = int(request.headers["X-Real-Remote-Port"])
ssl = request.headers.get("Origin", "").startswith("https:")
ssl = request.headers.get("X-Https", "") == "on"
check_uids = True
except (KeyError, ValueError):
ra, rp = sock.getpeername()
Expand Down

0 comments on commit 1b71ee8

Please sign in to comment.