search

codingteam / loglist

Reincarnation of the famous service
https://loglist.xyz/
MIT License
7 stars 4 forks source link

Absolute reverse routed URLs use HTTP instead of HTTPS #182

Closed Minoru closed 3 years ago

Minoru commented 7 years ago

Even though we're using HTTPS throughout the site, Open Graph metadata uses HTTP in the URLs:

<meta property="og:image" content="http://loglist.net/assets/images/gear_400x400.png" />
<meta property="og:url" content="http://loglist.net/quote/8070" />
rexim commented 7 years ago

The suggested quotes management URLs are not https too. I think this is related to how Play Framework reverse routes absolute URLs. I'll take a look into that.

rexim commented 7 years ago

If you open http://loglist.net/assets/images/gear_400x400.png it will redirect you to HTTPS version. Which is still not that good, because the route of the URL is exposed once before the redirect. I will continue to work on the solution.

rexim commented 7 years ago

https://loglist.net/feed.rss uses the same mechanism. So we have to keep in mind that if we fix that problem RSS readers may think that there are lots of new entries or something

ForNeVeR commented 7 years ago

Maybe we should set up our nginx so it'll pass original URL to Play framework.

ForNeVeR commented 7 years ago

Check this as a reference nginx configuration (see X-Forwarded-Proto and its usage on the Play side) and this as a guide to preparing proper HTTPS URIs (absoluteURL(request.secure(), request.host()) or something like this seems to do the trick).

rexim commented 7 years ago

@ForNeVeR sounds legit. Thanks!

ForNeVeR commented 3 years ago

I think we've applied the proposed solution long ago. Right now it definitely works on 2.0.0-pre2 deployed to the production server. Closing.