Closed jclem closed 8 years ago
Got a PR to fix the issue, @jclem?
Not yet, as there's a design discussion to be had here, I think. Specifying the header seems tricky as the template compiler would have to convert CF-Visitor
to cf_visitor
, for example. We could ask that it be passed in the format cf_visitor
or x_forwarded_proto
, I guess.
Another option is to accept a PLATFORM
variable, or TRUST_FORWARDED_PROTOCOL_FROM
variable. I'm not sure what the best option is, but TRUST_FORWARDED_PROTOCOL_FROM
seems explicit, if less flexible than allowing the user to specify a header.
I guess for the first pass at this my vote is for the safest option, asking for TRUSTED_PROTOCOL_HEADER
with a value formatted for Nginx config, such as cf_visitor
.
Converted to a PR with TRUSTED_PROTOCOL_HEADER
to get discussion going. Not sure this is right, but it's one possible solution.
This clashes with a bunch of work for Cloudflare. I'm going to close it and maybe we can work on it in another PR.
On Heroku, passing any value that matches the expression
/http/
in the "CF-Visitor" header bypasses SSL enforcement. This could be mitigated by setting and checking for the provider or forwarded protocol header in an environment variable.I realize this is an unlikely occurrence, but there's no reason not to protect against it.