Closed reichertm closed 9 years ago
Hi @reichertm - interesting scenario. Thanks for documenting the workaround. I'm not sure if we should change the authenticate_with_webhook_key
implementation, do you?
Thinking about it a bit, I wonder if the proxied message should strictly be considered "authenticated", as conceivably this could represent a man-in-the-middle exposure.
I'll close this with no action for now. Let me know if you have ideas on changing the code though..
I didn't read this post thoroughly but I solved the problem I had. I have rails behind nginx+ssl. In order for authenticate_with_webhook_key to work, I use https:// at mandrill and proxy_set_header X-Forwarded-Proto https; at nginx
There's quite a few variables that need to coincide for the issue to surface:
app-name.herokuapp.com
->https://www.app-name.com
Cloudflare's Flexible SSL
(traffic from the internet to Cloudflare goes over SSL but traffic from Cloudflare to Heroku goes in plain HTTP).In the given set up the
authenticate_with_webhook_key
filter always fails as therequest.original_url
used to calculate the expected signature gives thehttp://...
URL while Mandrill sends requests tohttps://...
URL.For now I solved the issue by writing a replacement for the
authenticate_with_webhook_key
method that passes the 'correct' URL toMandrill::WebHook::Processor.authentic?()
.Also if someone doesn't mind his app being accessible through
*.herokuapp.com
URL, he could point the webhook to that URL and it would work fine.