search

jvandal / modwsgi

Automatically exported from code.google.com/p/modwsgi
0 stars 0 forks source link

Support for fixing up host/scheme when using proxy in front of Apache. #133

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
When using server such as nginx in front of Apache, with nginx handling HTTPS 
and Apache only 
taking HTTP, then whether original connection was HTTP or HTTPS is lost. 
Similarly, if host isn't 
preserved from nginx, then internal name of Apache is used as server host and 
not the external 
facing nginx. This can cause problems with URL construction.

Such servers allow special HTTP headers to be passed through which indicate 
what the original host 
and protocol were. To make use of these requires a WSGI middleware to fixup 
HTTP_HOST and 
wsgi.url_scheme attributes in WSGI environment.

To make this easier and take the need to do this off the user, should add 
directives which allow it to 
be indicated that this sort of proxying arrangement is being used. Thus, allow:

  WSGIForwardedHost X-Forwarded-Host
  WSGIForwardedProto X-Forwarded-Proto

The directive enables the particular fixup, with the argument being the name of 
the HTTP header 
being sent by the proxy. The value is configurable as there appear to be 
different conventions.

Also perhaps need to look at X-Forwarded-For for fixing up REMOTE_ADDR.

Question though is what to do with the original values. Some suggest preserving 
them as 
ORIGINAL_HTTP_HOST and ORIGINAL_REMOTE_ADDR. Assumed I guess that original 
scheme would 
be http.

Original issue reported on code.google.com by Graham.Dumpleton@gmail.com on 24 Feb 2009 at 7:01

GoogleCodeExporter commented 8 years ago 
Apparently X-Forewarded-SSL is also used, with is set to 'on' when proxy used 
SSL.

Original comment by Graham.Dumpleton@gmail.com on 8 Mar 2009 at 2:24

GoogleCodeExporter commented 8 years ago 
Some MS software apparently uses Front-End-Https. Don't really care about it 
though.

Original comment by Graham.Dumpleton@gmail.com on 8 Mar 2009 at 2:32

GoogleCodeExporter commented 8 years ago 
Paste also seems to have invented use of X-Forwarded-Scheme instead of using 
X-Forwarded-Proto.

Original comment by Graham.Dumpleton@gmail.com on 8 Mar 2009 at 2:48

GoogleCodeExporter commented 8 years ago 
Decided not to take any action on this.

Many Python web frameworks have support for these headers already embedded in 
them making it in part 
pointless.

What may be a better is a way for administrator to define a special hook 
function which can be used to modify 
the WSGI environment before it is passed to the users WSGI application. 
Alternatively, provide a way as 
previously considered for administrator to provide a WSGI wrapper which sits 
around the WSGI application and 
can modify both WSGI environment as well as the response.

Original comment by Graham.Dumpleton@gmail.com on 12 Mar 2009 at 5:14

GoogleCodeExporter commented 8 years ago 
FWIW, future Apache may have a module which handles X-Forwarded-For fixups. 
Module is currently in 
sandbox.

  http://svn.apache.org/repos/asf/httpd/sandbox/mod_remoteip/README

Original comment by Graham.Dumpleton@gmail.com on 1 Apr 2009 at 12:13