Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] SPDY: set $scheme from scheme request header

January 30, 2014 01:50AM
On Jan 30, 2014, at 3:18 , Ragnar Rova wrote:

> Was a bit too quick with example, meant the 443 server does not have such a rewrite, that would mean a loop.
>
> server {
> listen 1.2.3.4:443 ssl spdy;
>
> location / {
> # this location is reachable using a http:// url when using spdy. If so, we want a redirect to the https:// url. How?
> }
> }

server {
listen 1.2.3.4:443 ssl spdy;

location / {
error_page 497 =301 https://mysite.com$request_uri;
...
}

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors
http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page

As to "http://" URLs over SPDY, this is impossible now since no browser support this.


--
Igor Sysoev
http://nginx.com


> On Thu, Jan 30, 2014 at 12:16 AM, Ragnar Rova <rr@mima.x.se> wrote:
> Sorry, my mistake, I was introducing a vulnerability by this.
>
> So, without the patch, how do I setup the redirect from http to https urls when a http url was visited over spdy/tls?
>
> I have
>
> server {
> listen 1.2.3.4:80;
>
> location ~ ^/(path1|path2)$ {
> rewrite ^/(.*)$ https://mysite.com/$1 permanent;
> break;
> }
>
> location / {
> add_header Alternate-Protocol 443:npn-spdy/2;
> }
> }
>
> server {
> listen 1.2.3.4:443 ssl spdy;
>
> location ~ ^/(path1|path2)$ {
> rewrite ^/(.*)$ https://mysite.com/$1 permanent;
> break;
> }
>
> location / {
> # this location is reachable using a http:// url when using spdy. If so, we want a redirect to the https:// url. How?
> }
> }
>
>
> On Wed, Jan 29, 2014 at 11:36 PM, Valentin V. Bartenev <vbart@nginx.com> wrote:
> On Wednesday 29 January 2014 23:06:40 Ragnar Rova wrote:
> > # HG changeset patch
> > # User Ragnar Rova <ragnar.rova@gmail.com>
> > # Date 1391033075 -3600
> > # Wed Jan 29 23:04:35 2014 +0100
> > # Node ID 6654eae26c8b2a718e5ad116650faf37f7be7aa9
> > # Parent 01e2a5bcdd8f65f4f7bcb23ac35911da08e5945f
> > SPDY: set $scheme from scheme request header.
> >
> > $scheme variable is always "https" when using spdy, existing code
> > just sets scheme to https based on if we are on a ssl connection.
>
> Yes, and it is intentionally.
>
> > In spdy, there is a scheme header which should be used.
>
> There is nothing special about spdy, the scheme also can be passed using
> request line in plain http or https, and nginx ignores it too.
>
> > Chrome uses http:// urls when establishing connections to sites using the
> > Alternate-Protocol header. If you want some locations to be visible
> > to the user as https, you can use $scheme in a http to https
> > redirect rule.
>
> You can use it without this change. But the patch converts $scheme from
> a configuration restricted variable into an untrusted one (which can contain
> arbitrary value sent by client).
>
> wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 1180 January 29, 2014 05:08PM

Re: [PATCH] SPDY: set $scheme from scheme request header

Valentin V. Bartenev 473 January 29, 2014 05:38PM

Re: [PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 413 January 29, 2014 06:18PM

Re: [PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 420 January 29, 2014 06:20PM

Re: [PATCH] SPDY: set $scheme from scheme request header

Igor Sysoev 675 January 30, 2014 01:50AM

Re: [PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 484 January 30, 2014 03:08AM

Re: [PATCH] SPDY: set $scheme from scheme request header

Igor Sysoev 760 January 30, 2014 03:58AM

Re: [PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 503 January 30, 2014 04:06AM

Re: [PATCH] SPDY: set $scheme from scheme request header

Valentin V. Bartenev 524 January 30, 2014 05:46AM

Re: [PATCH] SPDY: set $scheme from scheme request header

Ragnar Rova 880 January 30, 2014 08:02AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 145
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready