-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2011 09:02 AM, Luke Plant wrote: > It is a tricky problem, because I don't know of any perfect solution. My > concern is not only that it is possible to configure incorrectly, it > appears to be virtually impossible to configure correctly, as it appears > to be very hard to get web servers to filter incoming headers, and so > filter a X-Forwarded-Protocol=SSL header that is set by a MITM.
Is this actually the case? I know you mention in the ticket that Webfaction's front-end proxy doesn't filter the header they use correctly, but do you have any other evidence that it is "very hard to get web servers to filter incoming headers"? I haven't dug into it deeply, but I've tested with ep.io and I know they do filter their proxy-SSL header correctly, and I've also tested my own nginx reverse-proxy setup, and it enforces the header correctly in all cases, and the configuration to make it do so was trivial (use proxy_set_header X-Forwarded-Protocol in both the HTTP and HTTPS cases). I certainly think the documentation for this feature needs to be extremely clear that setting it is a security risk unless you are absolutely sure that your front-end proxy enforces the header correctly. Perhaps we could also supply some advice on how to check that? Carl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5+IrAACgkQ8W4rlRKtE2fXFQCfXoI8mW3QWLpNGZb+Tj2UFP/0 MHsAnjUybjgm4YqaJIxj1b2sUEDYqI4T =LPYT -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
