Forum OpenACS Improvement Proposals (TIPs): TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl

Collapse
1: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl
Posted by Dave Bauer on 02/13/12 02:06 AM
If HTTPS is handled by a proxy such as nginx, security::locations won't enable the HTTPS protocol as a valid location for internal redirects.

This parameter forces HTTPS as a valid protocol in security::locations when nsopenssl is disabled but HTTPS is handled by a proxy.

Collapse
2: Re: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl (response to 1)
Posted by Torben Brosten on 02/13/12 04:05 AM
Does this need to be TIPed if the default behavior is unaffected?
Collapse
3: Re: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl (response to 1)
Posted by Victor Guerra on 02/13/12 03:28 PM
https://openacs.org/forums/message-view?message_id=3853778

Or yes.. it could be a package parameter. The question would be if acs-tcl is the right package for that. acs-subsite and acs-kernel have also SSL related parameters.

Collapse
4: Re: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl (response to 3)
Posted by Dave Bauer on 02/13/12 03:45 PM
Originally I suspectd a config.tcl parameter since that is where nsopenssl is configured so the SSL determination is always defined there, and its consistent.

Obviously its easier to configure with a package parameter, but this makes more sense to me in the config file, since it really is defining the configuration of the server, and the package defines its behavior from that, we are not really modifying the package behavior.

Overall I don't see as a big point. Victor if you can provide the code that would be great. Thanks

Collapse
5: Re: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl (response to 1)
Posted by Byron Linares on 02/13/12 08:08 PM
Some time ago I proposed a solution to this issue and is what we have working in our OpenACS installation

https://openacs.org/forums/message-view?message_id=2856871

Collapse
6: Re: TIP#154 Add AllowHTTPSRedirects parameter to acs-tcl (response to 1)
Posted by Torben Brosten on 02/13/12 08:29 PM
Hi Byron,

I remember that.

I don't see it in the system, so I assumed you decided not to contribute it.

If it is already in the system, where is it?

Victor's solution includes modifying the headers. This is important for some cases.

FWIW, making it a config.tcl setting may be best afterall, if it's also modifying http headers (and affecting multiple packages)

cheers,