diff options
author | Konstantin Ryabitsev <mricon@kernel.org> | 2013-10-11 10:47:30 -0400 |
---|---|---|
committer | Jeremy Kerr <jk@ozlabs.org> | 2013-10-13 14:58:23 +0800 |
commit | 0f62b0c1d9e35319c2f0386ac9ba1371e15dc9ec (patch) | |
tree | 5906c26444696911143832ad6c2da51b2e5d0a5f /docs | |
parent | 4d7fcc9062659aa74377b39dd87de35c07973ec2 (diff) | |
download | patchwork-0f62b0c1d9e35319c2f0386ac9ba1371e15dc9ec.tar.bz2 patchwork-0f62b0c1d9e35319c2f0386ac9ba1371e15dc9ec.tar.xz |
Add a config option to FORCE_HTTPS_LINKS
In situations where SSL is terminated at the load-balancer, we cannot
rely on guessing the scheme based on whether patchwork itself was
accessed via http or https, since the last-leg is always going to be
done over http.
Unfortunately, wrongly using http:// URLs results in unusable
.pwclientrc files, since xmlrpc does not handle http->https redirects
and instead displays a traceback.
This change introduces a FORCE_HTTPS_LINKS option, which forces
pwclientrc links to always return "https" regardless of how the project
itself is accessed.
It appears that the http/https check is currently only used for
generating pwclientrc -- a lot of other places seem to hardcode
"http://" and rely on the server to transparently upgrade the
connection. This is not a secure approach (it allows for MITM and
SSL-Strip attacks) and therefore all places currently hardcoding
http://{{site.domain}} and similar should be switched to using the
"sheme" variable, the same as done for generating pwclientrc files.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Diffstat (limited to 'docs')
0 files changed, 0 insertions, 0 deletions