Project

General

Profile

Bug #4010

[ce] Check that HTTPS fixup middleware wraps also pyramid views.

Added by Martin Bornhold about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
High
Category:
-
Target version:
Start date:
10.06.2016
Due date:
% Done:

0%

Estimated time:
Sorting:
Commit Number:
Affected Version:

Description

MarcinK reported that the redirect after logging in via the quick login box points him from HTTPS -> HTTP.
Normally the HTTPS fixup middleware should handle this.

We shortly migrated the login view from pylons to pyramid. Maybe the middleware only wraps pylons views and not pyramid views.

#1

Updated by Marcin Kuzminski [CTO] about 5 years ago

  • Target version changed from v4.1 to v4.2
#2

Updated by Marcin Kuzminski [CTO] about 5 years ago

  • Priority changed from Normal to High

Bumping priority for that as it might be really problematic regressions for some cases when you don't do http -> https redirect, and it's a regressions actually.

#3

Updated by Marcin Kuzminski [CTO] about 5 years ago

One important note:

  • enabling proxy-prefix middleware actually solves the problem. We believe that we should always enable this as it's a good default with an empty prefix.

We should check what custom logic is inside the SSL wrapper, and if we still need-it or things can be actually fixed by using proxy-prefix.

#4

Updated by Johannes Bornhold about 5 years ago

  • Status changed from New to In Progress
  • Assignee set to Johannes Bornhold
#5

Updated by Johannes Bornhold about 5 years ago

Ok, here we go:

  • First investigations to understand what we have here
  • Maybe only proxy prefix middleware
  • Otherwise plain fix
#6

Updated by Johannes Bornhold about 5 years ago

Investigation details

  • It is included in make_app which is producing the pylons app, this means it is for sure not active for the pyramid app.
  • Moving it up in the stack could already restore the old behavior.
  • Inspection of the implementation
    • rhodecode/lib/middleware/https_fixup.py
    • It appends htsts headers
    • It applies changes to the environ if it detects SSL
    • Conclusion:
      • Moving it up should restore the old behavior, then we are fixed.
      • Improving things can be done in a later step.
#8

Updated by Johannes Bornhold about 5 years ago

  • Status changed from In Progress to Resolved
#9

Updated by Marcin Kuzminski [CTO] about 5 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF