https_fixup.py

Mads Kiilerich mads at kiilerich.com
Tue Oct 21 10:52:49 EDT 2014


Nice research, Jim. It should be integrated in the documentation (and 
code) somehow so we can benefit from it.

My main point is just that considering the we are using a stack with web 
server and WSGI, we should push towards doing everything in the right 
place. To set the expectations right: The workarounds in Kallithea 
should just be last resort and only be minimal support for the most 
common cases.

And ...

On 10/07/2014 06:38 PM, Jim Hague wrote:
> On Tuesday 07 Oct 2014 16:46:25 Mads Kiilerich wrote:
>>> 2. https_fixups. Check for headers X-Url-Scheme, X-Forwarded-Scheme or
>>>
>>>      X-Forwarded-Proto in the request and if found use that protocol.
>> PasteDeploy also seems to be able to do this in PrefixMiddleware.
> True. It looks like merely enabling proxy-prefix filter will use X-Forwarded-
> Scheme or  X-Forwarded-Proto by default, and you can set 'scheme' to force. So
> we could just modify the docs to use proxy-prefix and avoid needing to update
> Waitress. However, that drags another component into the processing. Perhaps
> it would be better to do it in Waitress.
>
> Looking at other apps, Django and Flask also recognise X-Fowarded-Proto. Among
> the WSGI servers GUnicorn, CherryPy and Tornado do. As far as I can see, uWSGI
> only allows HTTPS to be forced. Those are all I've looked at so far.
>
> In other words, FWIW, X-Forwarded-Proto looks like something close to a de-
> facto standard.

Ok. We should document that it as something that is "close to a de- 
facto standard". AFAICS it is more like a common convention that usually 
requires matching manual configuration.

> BTW, the current proxy setup in the docs, which sets environment HTTPS, works
> on Paste but not on Waitress. We should definitely switch that example to X-
> Forwarded-Proto.

Hmm. Yeah, something is wrong. The examples in the documentation doesn't 
make sense. Apache SetEnvIf will set en environment variable - setting 
HTTPS=1 will make mod_wsgi set wsgi.url_scheme=https. SetEnvIf will 
however not do anything in a proxy section. Instead, the examples should 
show some RequestHeader mangling, probably using X-Forwarded-Proto. Do 
you agree?

> Looking at the history, it appears Waitress is the default because it works
> properly with git.

Because chunked requests? i thought most proxies did store-and-forward 
of requests and thus de-chunked requests?

/Mads


More information about the kallithea-general mailing list