Mercurial > kallithea
changeset 4448:8e26c46e9abe
https: introduce https_fixup config setting to enable the special https hacks
Without https_fixup, correctly configured WSGI systems work correctly.
The https_fixup middleware will only be loaded when enabled in the configuration.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Tue, 12 Aug 2014 13:08:23 +0200 |
parents | e30401bac6e1 |
children | 1337ada582a1 |
files | docs/setup.rst kallithea/config/middleware.py kallithea/lib/base.py kallithea/lib/middleware/simplegit.py kallithea/lib/middleware/simplehg.py |
diffstat | 5 files changed, 19 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/docs/setup.rst Tue Aug 12 13:08:23 2014 +0200 +++ b/docs/setup.rst Tue Aug 12 13:08:23 2014 +0200 @@ -514,13 +514,15 @@ HTTPS support ------------- -There are two ways to enable https: +Kallithea will by default generate URLs based on the WSGI environment. + +Alternatively, you can use some special configuration settings to control +directly which scheme/protocol Kallithea will use when generating URLs: -- Set HTTP_X_URL_SCHEME in your http server headers, than Kallithea will - recognize this headers and make proper https redirections -- Alternatively, change the `force_https = true` flag in the ini configuration - to force using https, no headers are needed than to enable https - +- With `https_fixup = true`, the scheme will be taken from the HTTP_X_URL_SCHEME, + HTTP_X_FORWARDED_SCHEME or HTTP_X_FORWARDED_PROTO HTTP header (default 'http'). +- With `force_https = true` the default will be 'https'. +- With `use_htsts = true`, it will set Strict-Transport-Security when using https. Nginx virtual host example --------------------------
--- a/kallithea/config/middleware.py Tue Aug 12 13:08:23 2014 +0200 +++ b/kallithea/config/middleware.py Tue Aug 12 13:08:23 2014 +0200 @@ -92,7 +92,8 @@ app = StatusCodeRedirect(app, [400, 401, 403, 404, 500]) #enable https redirets based on HTTP_X_URL_SCHEME set by proxy - app = HttpsFixup(app, config) + if any(asbool(config.get(x)) for x in ['https_fixup', 'force_ssl', 'use_htsts']): + app = HttpsFixup(app, config) # Establish the Registry for this application app = RegistryManager(app)
--- a/kallithea/lib/base.py Tue Aug 12 13:08:23 2014 +0200 +++ b/kallithea/lib/base.py Tue Aug 12 13:08:23 2014 +0200 @@ -213,18 +213,18 @@ def _get_ip_addr(self, environ): return _get_ip_addr(environ) - def _check_ssl(self, environ, start_response): + def _check_ssl(self, environ): """ Checks the SSL check flag and returns False if SSL is not present and required True otherwise """ - org_proto = environ['wsgi._org_proto'] #check if we have SSL required ! if not it's a bad request ! - require_ssl = str2bool(Ui.get_by_key('push_ssl').ui_value) - if require_ssl and org_proto == 'http': - log.debug('proto is %s and SSL is required BAD REQUEST !' - % org_proto) - return False + if str2bool(Ui.get_by_key('push_ssl').ui_value): + org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme']) + if org_proto != 'https': + log.debug('proto is %s and SSL is required BAD REQUEST !' + % org_proto) + return False return True def _check_locking_state(self, environ, action, repo, user_id):
--- a/kallithea/lib/middleware/simplegit.py Tue Aug 12 13:08:23 2014 +0200 +++ b/kallithea/lib/middleware/simplegit.py Tue Aug 12 13:08:23 2014 +0200 @@ -66,7 +66,7 @@ def _handle_request(self, environ, start_response): if not is_git(environ): return self.application(environ, start_response) - if not self._check_ssl(environ, start_response): + if not self._check_ssl(environ): return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) ip_addr = self._get_ip_addr(environ)
--- a/kallithea/lib/middleware/simplehg.py Tue Aug 12 13:08:23 2014 +0200 +++ b/kallithea/lib/middleware/simplehg.py Tue Aug 12 13:08:23 2014 +0200 @@ -71,7 +71,7 @@ def _handle_request(self, environ, start_response): if not is_mercurial(environ): return self.application(environ, start_response) - if not self._check_ssl(environ, start_response): + if not self._check_ssl(environ): return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) ip_addr = self._get_ip_addr(environ)