Fix HTTPS detection when running behind a proxy (!52) · Merge requests · infrastructure / qa-report-app

Emanuele Aina requested to merge wip/em/fix-auth-behind-proxy into master Jul 03, 2019

In production the application is currently run behind a TLS-terminating nginx proxy which forces the Host header and sets the X-Forwarded-For and X-Forwarded-Proto headers.

However, nothing on the application side handles the X-Forwarded-* headers, causing authentication against GitLab through OAUth2 to fail since the generated callback URL uses plain http:// while OAuth2 requires it to be https://, yielding the The redirect URI included is not valid error message.

This adds a PROXY_COUNT environment variable to be set to the number of trusted proxies in front of the application. It defaults to zero to to avoid issues if malicious actors set the headers above in a non-proxied setup.

Marked WIP since I haven't managed to test this in any way after I spent two hours debugging what was going on. :(

@araujo, can you give it a spin and remove the WIP tag if it doesn't explode?

Edited Jul 08, 2019 by Emanuele Aina

Admin message

Fix HTTPS detection when running behind a proxy

Merge request reports