Project

General

Profile

Actions

Bug #4010

closed

[ce] Check that HTTPS fixup middleware wraps also pyramid views.

Added by Martin Bornhold over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Category:
-
Target version:
Start date:
10.06.2016
Due date:
% Done:

0%

Estimated time:
Sorting:
Commit Number:
Affected Version:

Description

MarcinK reported that the redirect after logging in via the quick login box points him from HTTPS -> HTTP.
Normally the HTTPS fixup middleware should handle this.

We shortly migrated the login view from pylons to pyramid. Maybe the middleware only wraps pylons views and not pyramid views.

Actions #1

Updated by Marcin Kuzminski [CTO] over 6 years ago

  • Target version changed from v4.1 to v4.2
Actions #2

Updated by Marcin Kuzminski [CTO] over 6 years ago

  • Priority changed from Normal to High

Bumping priority for that as it might be really problematic regressions for some cases when you don't do http -> https redirect, and it's a regressions actually.

Actions #3

Updated by Marcin Kuzminski [CTO] over 6 years ago

One important note:

  • enabling proxy-prefix middleware actually solves the problem. We believe that we should always enable this as it's a good default with an empty prefix.

We should check what custom logic is inside the SSL wrapper, and if we still need-it or things can be actually fixed by using proxy-prefix.

Actions #4

Updated by Johannes Bornhold over 6 years ago

  • Status changed from New to In Progress
  • Assignee set to Johannes Bornhold
Actions #5

Updated by Johannes Bornhold over 6 years ago

Ok, here we go:

  • First investigations to understand what we have here
  • Maybe only proxy prefix middleware
  • Otherwise plain fix
Actions #6

Updated by Johannes Bornhold over 6 years ago

Investigation details

  • It is included in make_app which is producing the pylons app, this means it is for sure not active for the pyramid app.
  • Moving it up in the stack could already restore the old behavior.
  • Inspection of the implementation
    • rhodecode/lib/middleware/https_fixup.py
    • It appends htsts headers
    • It applies changes to the environ if it detects SSL
    • Conclusion:
      • Moving it up should restore the old behavior, then we are fixed.
      • Improving things can be done in a later step.
Actions #8

Updated by Johannes Bornhold over 6 years ago

  • Status changed from In Progress to Resolved
Actions #9

Updated by Marcin Kuzminski [CTO] over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF