From 1b71ee8eb2df72dd97609ad1db584cc8c1f29215 Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Thu, 23 Jan 2025 13:52:39 -0600 Subject: [PATCH] Fix check for https in ConnectionOrigin (#15468) This commit adds a header key to indicate whether nginx has flagged the session as https. --- .../middlewared/etc_files/local/nginx/nginx.conf.mako | 9 +++++++++ src/middlewared/middlewared/utils/origin.py | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako b/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako index c013616488b2e..aa1522382a475 100644 --- a/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako +++ b/src/middlewared/middlewared/etc_files/local/nginx/nginx.conf.mako @@ -200,6 +200,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; @@ -218,6 +219,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } @@ -258,6 +260,7 @@ http { } # `allow`/`deny` are not allowed in `if` blocks so we'll have to make that check in the middleware itself. proxy_set_header X-Real-Remote-Addr $remote_addr; + proxy_set_header X-Https $https; add_header Cache-Control "must-revalidate"; add_header Etag "${system_version}"; @@ -274,6 +277,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } @@ -285,6 +289,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_send_timeout 7d; @@ -299,6 +304,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Server-Port $server_port; @@ -310,6 +316,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_read_timeout 10m; } @@ -322,6 +329,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; } location /_plugins { @@ -329,6 +337,7 @@ http { proxy_http_version 1.1; proxy_set_header X-Real-Remote-Addr $remote_addr; proxy_set_header X-Real-Remote-Port $remote_port; + proxy_set_header X-Https $https; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } diff --git a/src/middlewared/middlewared/utils/origin.py b/src/middlewared/middlewared/utils/origin.py index aa4a5a55f4a4b..41664e57bb8fe 100644 --- a/src/middlewared/middlewared/utils/origin.py +++ b/src/middlewared/middlewared/utils/origin.py @@ -167,7 +167,7 @@ def get_tcp_ip_info(sock, request) -> tuple: # 0 (root) or 33 (www-data (nginx forks workers)) ra = request.headers["X-Real-Remote-Addr"] rp = int(request.headers["X-Real-Remote-Port"]) - ssl = request.headers.get("Origin", "").startswith("https:") + ssl = request.headers.get("X-Https", "") == "on" check_uids = True except (KeyError, ValueError): ra, rp = sock.getpeername()