Allow to serve https:// links behind a front-end server with SSL termination
Summary:
A new TrustProxy middleware allows to set a trust strategy about
potentially spoofable headers like HTTP_X_FORWARDED_PROTO and
HTTP_X_FORWARDED_FOR. This solves the proxy HTTPS problem.
We an app.proxy configuration option defined like this:
Auth Grove can handle proxy headers like HTTP_X_FORWARDED_PROTO
according your configuration.
- To always trust forward headers, adds a star entry: ['*']
- To never trust any server, use an empty array: []
- To specify the proxies servers, create an array with each IP.
If you put Auth Grove on an back-end application server, with a
front-end nginx responsible for SSL termination,
you can set the front-end IPs or blindly trust any remote
address with a magic entry '*'.
Fixes T492.
Test Plan:
- Run Auth Grove on an Apache server, serving HTTPS
- Access https:// served by a nginx server, with proxy_pass
- See we have http:// if app.proxy is []
- See we have https:// if app.proxy is ['*'] or the nginx server IP.
Reviewers: fauve, xcombelle
Subscribers: security
Maniphest Tasks: T492
Differential Revision: http://devcentral.nasqueron.org/D25