search

yookoala / gofast

gofast is a FastCGI "client" library written purely in go
BSD 3-Clause "New" or "Revised" License
224 stars 49 forks source link

HTTPS param only works when the connection handles TLS #47

Closed ruudk closed 4 years ago

ruudk commented 4 years ago

If you run gofast behind a loadbalancer that handles TLS, it will not properly check for HTTPS.

https://github.com/yookoala/gofast/blob/916e38d1de9d857305d578ab6343bff075bb288a/session.go#L105-L108

What would be the best way to solve this?

yookoala commented 4 years ago

I don't currently have a loadbalancer setup. So I cannot actually test with it. For the default implementation of this library, I would considered: for similar situation in other server stack (e.g. Reverse Proxy server - Apache - PHPFPM), what would the server behave?

If you consider the actual protocals running between your different layers, it would probably look like this:

              fastcgi                        HTTP                       HTTPS
Application ----------- Web Server (Go) -------------- Load Balancer ------------- Client

I'd presume the Golang webserver should format the request object as the request is. So if the request from the loadbalancer to the server is HTTP, it should not check for HTTPS as "On". And it would be right to do so. The web server should have no information about the request received by the loadbalancer. It should only work according to the actual request it gets.

So I think for our default BasicParamsMap, I'd probably keep the current behaviour (unless there is a strong case to change it otherwise).

How others are dealing with this reverse proxy issue?

This is not a new problem. For PAAS service like Heroku, their client applications are behind their loadbalancer. Thus their applications would always get HTTP request, even if the client is visiting with HTTPS protocol.

To hint that the proxied request's protocol, Heroku's proxy is adding extra "X-Forwarded-*" headers for their user. So in the PHP application, the $_SERVER["HTTPS"] variable would still be undefined, but $_SERVER["HTTP_X_FORWARDED_PROTO"] would tell PHP what the reverse proxy is handling on front.

Suggestion

So if the default BasicParamsMap is not change, I can see 2 ways to deal with this:

  1. You may configured / programmed the loadbalancer to send something like those X-Forwarded-* header to your go web server. And your go web server can pass on those header to the FCGI application; or
  2. You can write your own gofast.Middleware to handle the situation (e.g. always mark HTTPS to be "on". gofast is written in a way so that you may easily program the behaviour of your web server without reimplementing everything. You may simply add another middleware after BasicParamsMap with the HTTPS parameter set in the way you like.
yookoala commented 4 years ago

This question has been inactive for a while. I'm closing it now. If you think this is a mistake, please comment below and I'll be reopening this in no time.