tonycoco
commented
8 years ago Got a PR to fix the issue, @jclem?
Closed jclem closed 8 years ago
tonycoco
commented
8 years ago Got a PR to fix the issue, @jclem?
jclem
commented
8 years ago Not yet, as there's a design discussion to be had here, I think. Specifying the header seems tricky as the template compiler would have to convert CF-Visitor to cf_visitor, for example. We could ask that it be passed in the format cf_visitor or x_forwarded_proto, I guess.
Another option is to accept a PLATFORM variable, or TRUST_FORWARDED_PROTOCOL_FROM variable. I'm not sure what the best option is, but TRUST_FORWARDED_PROTOCOL_FROM seems explicit, if less flexible than allowing the user to specify a header.
I guess for the first pass at this my vote is for the safest option, asking for TRUSTED_PROTOCOL_HEADER with a value formatted for Nginx config, such as cf_visitor.
jclem
commented
8 years ago Converted to a PR with TRUSTED_PROTOCOL_HEADER to get discussion going. Not sure this is right, but it's one possible solution.
tonycoco
commented
8 years ago This clashes with a bunch of work for Cloudflare. I'm going to close it and maybe we can work on it in another PR.
On Heroku, passing any value that matches the expression
/http/in the "CF-Visitor" header bypasses SSL enforcement. This could be mitigated by setting and checking for the provider or forwarded protocol header in an environment variable.I realize this is an unlikely occurrence, but there's no reason not to protect against it.