search

chef / supermarket

Chef's community platform
https://supermarket.chef.io/
Apache License 2.0
214 stars 113 forks source link

https still used when nginx force ssl is false (omnibus-supermarket) #1076

Open david-crowder opened 9 years ago

david-crowder commented 9 years ago

I ran into an issue recently where despite having disabled ssl through setting node['supermarket']['nginx']['force_ssl'] to false, navigating to the universe endpoint still presented https download links.

I believe it is due to this line: https://github.com/chef/omnibus-supermarket/blob/master/cookbooks/omnibus-supermarket/templates/default/rails.nginx.conf.erb#L123

Causing https://github.com/chef/supermarket/blob/master/app/models/universe.rb#L132 to always use https.

Is this the intended behavior?

robbkidd commented 8 years ago

Thanks for this report, David. After a quick look, I agree, that's the problem. Nope, not intended. Will investigate further.

robbkidd commented 8 years ago

Re-opening this issue. chef/omnibus-supermarket#48 was reverted after causing problems behind a load-balancer. There is new issue #1236 opened to refactor the nginx template to better handle the different SSL/non-SSL scenarios for Supermarket.

robbkidd commented 8 years ago

Revisiting this, I have tested changing the X-Forwarded-Proto setting from https to $http_x_forwarded_proto in a few different SSL and non-SSL scenarios. There will be a PR incoming after some more testing, but I figured I would do a brain dump here on what can be done today with configuration and the tweak to the nginx site template.

Scenarios

No SSL, just run on :80, please

Change X-Forwarded-Proto setting from https to $http_x_forwarded_proto in /var/opt/supermarket/nginx/etc/sites-enabled/rails.

Attribute settings:

protocol: http
nginx:
  force_ssl: false

Supermarket host providing own SSL-termination on :443 + redirect :80 to :443

Attributes:

protocol: https
nginx:
  force_ssl: true
ssl:
  enabled: true

SSL-term load balancer listening on :443, forwarding to Supermarket host no SSL :80

Attributes:

protocol: https
nginx:
  force_ssl: false
ssl:
  enabled: false

SSL-term load balancer listening on :443, forwarding to Supermarket host no SSL :443 + redirect :80 to :443

Attributes:

protocol: https
nginx:
  force_ssl: true
ssl:
  enabled: false

Future Work

I'm planning two things to simplify the above:

  1. Change X-Forwarded-Proto setting from https to $http_x_forwarded_proto in the template within the omnibus package
  2. Research removing the protocol attribute altogether. It exists to set PROTOCOL in the environment and that environment variable seems to be only used within the Rails app to build links back to itself with the scheme the end user should use. Rails already has mechanisms to figure that out based on X-Forwarded-Proto, so use that and repetitive configuration and bugs around it go away.