* (ad_restrict_to_https) in acs-tcl/tcl/admin-procs.tcl,
* (ad_secure_conn_p) in acs-tcl/tcl/security-procs.tcl and
* (util_current_location) in acs-tcl/tcl/utilities-procs.tcl
to accept proxied HTTPS requests forwarded by a proxy such as Pound,
Squid or Apache as regular HTTPS requests.
Most proxies forward incoming HTTPS requests as HTTP requests to the
backend. At least Pound does. Forwarded HTTPS requests are marked by
an additional HTTP header `X-SSL-Request: true'. Pound can be
configured to remove any X-SSL-Request headers part of the incoming
HTTP(s) request to the proxy itself (Pound) to avoid `Man in the
Proposed modification adds checks to aforementioned procedures to
treat HTTP requests (as received by the OpenACS instance) on par with
I have made these modifications a long time ago to ACS 4 and they have
been tested in production. In the past 2 days 2 community members
contacted me with requesting these patches. I think that is enough of
a basis to propose inclusion to OpenACS core.
For added security one could also add the IP address of the proxy as a
new parameter to OpenACS. One can then check the `X-Forwarded-For'
header in addition to the `X-SSL-Request' header. Only if the
X-Forwarded-For IP address matches the configured IP address will the
connection be treated as secure. However, this involves a more
substantial change and requires upgrade scripts to the data model.