upstream/kallithea Commit - r8680:070b8c39

auth: only use X- headers instead of wsgi.url_scheme if explicitly told so in url_scheme_header - drop https_fixup setting...

Mads Kiilerich -

r8680:070b8c39 default

parent child

Collapse all files

development.ini

0 +3 0

              ## WSGI environment variable to get the IP address of the client (default REMOTE_ADDR)
              #remote_addr_variable = HTTP_X_FORWARDED_FOR
+             ## WSGI environment variable to get the protocol (http or https) of the client connection (default wsgi.url_scheme)
+             #url_scheme_variable = HTTP_X_FORWARDED_PROTO
              ## always pretend the client connected using HTTPS (default false)
              #force_https = true

docs/setup.rst

0 +5 -7

              Kallithea will by default rely on finding the protocol (``http`` or ``https``)
              in the WSGI environment as ``wsgi.url_scheme``. If the proxy server puts
-             the protocol of the client request in the ``X-Url-Scheme``,
-             ``X-Forwarded-Scheme``, or ``X-Forwarded-Proto`` HTTP header,
-             Kallithea can be configured to trust these headers by setting::
+             the protocol of the client request in the ``X-Forwarded-Proto`` HTTP header,
+             Kallithea can be configured to trust that header by setting::
-                 https_fixup = true
+                 url_scheme_variable = HTTP_X_FORWARDED_PROTO
              HTTPS support
              Alternatively, you can use some special configuration settings to control
              directly which scheme/protocol Kallithea will use when generating URLs:
-             - With ``https_fixup = true``, the scheme will be taken from the
-               ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
-               (default ``http``).
+             - With ``url_scheme_variable`` set, the scheme will be taken from that HTTP
+               header.
              - With ``force_https = true``, the scheme will be seen as ``https``.
              - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

kallithea/config/application.py

0 +1 -1

                  app = SimpleGit(app, config)
                  # Enable https redirects based on HTTP_X_URL_SCHEME set by proxy
-                 if any(asbool(config.get(x)) for x in ['https_fixup', 'force_https', 'use_htsts']):
+                 if any(asbool(config.get(x)) for x in ['url_scheme_variable', 'force_https', 'use_htsts']):
                      app = HttpsFixup(app, config)
                  app = PermanentRepoUrl(app, config)

kallithea/config/middleware/https_fixup.py

0 +10 -12

              """
+             import kallithea
              from kallithea.lib.utils2 import asbool
                      middleware you should set this header inside your
                      proxy ie. nginx, apache etc.
                      """
-                     # DETECT PROTOCOL !
-                     if 'HTTP_X_URL_SCHEME' in environ:
-                         proto = environ.get('HTTP_X_URL_SCHEME')
-                     elif 'HTTP_X_FORWARDED_SCHEME' in environ:
-                         proto = environ.get('HTTP_X_FORWARDED_SCHEME')
-                     elif 'HTTP_X_FORWARDED_PROTO' in environ:
-                         proto = environ.get('HTTP_X_FORWARDED_PROTO')
-                     else:
-                         proto = 'http'
-                     org_proto = proto
+                     proto = None
                      # if we have force, just override
                      if asbool(self.config.get('force_https')):
                          proto = 'https'
+                     else:
+                         # get protocol from configured WSGI environment variable
+                         url_scheme_variable = kallithea.CONFIG.get('url_scheme_variable')
+                         if url_scheme_variable:
+                             proto = environ.get(url_scheme_variable)
-                     environ['wsgi.url_scheme'] = proto
-                     environ['wsgi._org_proto'] = org_proto
+                     if proto:
+                         environ['wsgi._org_proto'] = environ.get('wsgi.url_scheme')
+                         environ['wsgi.url_scheme'] = proto

kallithea/templates/ini/template.ini.mako

0 +3 0

              <%text>##</%text> WSGI environment variable to get the IP address of the client (default REMOTE_ADDR)
              #remote_addr_variable = HTTP_X_FORWARDED_FOR
+             <%text>##</%text> WSGI environment variable to get the protocol (http or https) of the client connection (default wsgi.url_scheme)
+             #url_scheme_variable = HTTP_X_FORWARDED_PROTO
              <%text>##</%text> always pretend the client connected using HTTPS (default false)
              #force_https = true

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages