Hello!
On Mon, Mar 02, 2015 at 03:32:03PM +0100, Michael Kliewe wrote:
> Hi Maxim,
>
> On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote:
>
> > Hello!
> >
> > On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe
> > wrote:
> >
> >> with your changes there is a problem:
> >> nginx now just sends the header if the connection is
> >> encrypted. If the connection is not encrypted, then there is
> >> no header sent to the auth script.
> >> In the auth script I cannot distinguish between "user did not
> >> use encryption" and "nginx doesn't have the feature" (because
> >> of mixed nginx versions).
> >> With the original version of the patch this was possible.
> >
> > Try updating all your nginx instances before using the header
> > for something limiting, it is expected to resolve your
> > problem.
> >
> > Either way, the only safe thing to do if "nginx doesn't have
> > the feature" is to assume there is no SSL if SSL matters. And
> > that's what current behaviour encourages.
>
> You are kind of right, but currently I'm distinguishing between
> "encrypted", "not-encrypted" and "unknown", because we have
> different versions of nginx in different setups. I cannot update
> all nginx versions in parallel in all setups. That's why your
> tip does not help me ;-/
> I need to distinguish between "not-encrypted" and "unknown",
> because I want to warn all users still using not-encrypted
> connections. With your patch I cannot distinguish between them,
> and would send false warnings...
So switch off warnings till the update is complete. That's an
easy way to go.
Alternatively, you may use the "auth_http_header" directive
(http://nginx.org/r/auth_http_header) to distinguish between
various installations.
> Would it be complicated to send "Auth-SSL: off" in case there
> was no encryption? It's just one "else" more, and solves all
> problems.
You are trying to solve your particular deployment problem by
introducing the flag which will be here for all users forever.
This doesn't looks like a good solution to me.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
