I have set up my dancer app using plackup and behind nginx. I have set up nginx to accept traffic on either port 80 or 443 (https, encrypted). I want to ensure that the /login/ route is never accessed over port 80, only over https. To do this, I think I need to have a check at the top of the route to see if SSL is on and forward to 443 if not. Then after login is completed I want to forward them back to the unencrypted area. I've done this before under mod_perl (non-Dancer app), but I'm not quite sure how this should work in my current situation. Under mod_perl I believe I had an environment variable I could check to see if the connection was "SECURE" but now the connection is *never* secure between nginx and my dancer app right? My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk? I dumped Dancer::Request and didn't see anything that will allow me to find out if I'm under https. Thanks, Brian
Hi Brian On Tue, May 31, 2011 at 5:07 PM, Brian E. Lozier <brian@massassi.com> wrote:
I have set up my dancer app using plackup and behind nginx. I have set up nginx to accept traffic on either port 80 or 443 (https, encrypted). I want to ensure that the /login/ route is never accessed over port 80, only over https. To do this, I think I need to have a check at the top of the route to see if SSL is on and forward to 443 if not. Then after login is completed I want to forward them back to the unencrypted area. I've done this before under mod_perl (non-Dancer app), but I'm not quite sure how this should work in my current situation.
Under mod_perl I believe I had an environment variable I could check to see if the connection was "SECURE" but now the connection is *never* secure between nginx and my dancer app right? My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk?
I dumped Dancer::Request and didn't see anything that will allow me to find out if I'm under https.
you can call request->secure, which returns 1 if it's using HTTPS, else 0. For the first part of your question, I don't have time right now to think about the proposer solution, I'll try to reply later this evening if no one else has a solution for you :)
Thanks, Brian _______________________________________________ Dancer-users mailing list Dancer-users@perldancer.org http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
-- franck cuny http://lumberjaph.net - http://github.com/franckcuny
On Tuesday 31 May 2011 16:26:24 franck wrote:
Hi Brian
On Tue, May 31, 2011 at 5:07 PM, Brian E. Lozier <brian@massassi.com> wrote:
I have set up my dancer app using plackup and behind nginx. I have set up nginx to accept traffic on either port 80 or 443 (https, encrypted). I want to ensure that the /login/ route is never accessed over port 80, only over https. To do this, I think I need to have a check at the top of the route to see if SSL is on and forward to 443 if not. Then after login is completed I want to forward them back to the unencrypted area. I've done this before under mod_perl (non-Dancer app), but I'm not quite sure how this should work in my current situation.
Under mod_perl I believe I had an environment variable I could check to see if the connection was "SECURE" but now the connection is *never* secure between nginx and my dancer app right? My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk?
I dumped Dancer::Request and didn't see anything that will allow me to find out if I'm under https.
you can call request->secure, which returns 1 if it's using HTTPS, else 0.
This is the answer; however, I need to extend the docs for request->secure, as they should mention the (quite new) behind_proxy setting. Basically, in your config file, add: setting behind_proxy => 1; Now, request->scheme() (which is what request->secure() uses to check whether the request was HTTP or HTTPS) will look at X_FORWARDED_PROTOCOL or HTTP_FORWARDED_PROTO from the env, which should be set by the proxy server (Nginx in your case). Take a look at https://github.com/sukria/Dancer/pull/512 where this feature was implemented for more details. And as for:
My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk?
Your understanding is correct, but assuming that your Dancer app and Nginx are on the same box, it's only a security risk if an attacker has access to that box; in which case, you've already lost. It would become an issue if your Dancer app was running on another box and you couldn't trust the network between that box and the box running Nginx. Cheers Dave P -- David Precious ("bigpresh") http://www.preshweb.co.uk/ "Programming is like sex. One mistake and you have to support it for the rest of your life". (Michael Sinz)
On Tue, May 31, 2011 at 9:06 AM, David Precious <davidp@preshweb.co.uk> wrote:
On Tuesday 31 May 2011 16:26:24 franck wrote:
Hi Brian
On Tue, May 31, 2011 at 5:07 PM, Brian E. Lozier <brian@massassi.com> wrote:
I have set up my dancer app using plackup and behind nginx. I have set up nginx to accept traffic on either port 80 or 443 (https, encrypted). I want to ensure that the /login/ route is never accessed over port 80, only over https. To do this, I think I need to have a check at the top of the route to see if SSL is on and forward to 443 if not. Then after login is completed I want to forward them back to the unencrypted area. I've done this before under mod_perl (non-Dancer app), but I'm not quite sure how this should work in my current situation.
Under mod_perl I believe I had an environment variable I could check to see if the connection was "SECURE" but now the connection is *never* secure between nginx and my dancer app right? My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk?
I dumped Dancer::Request and didn't see anything that will allow me to find out if I'm under https.
you can call request->secure, which returns 1 if it's using HTTPS, else 0.
This is the answer; however, I need to extend the docs for request->secure, as they should mention the (quite new) behind_proxy setting.
Basically, in your config file, add:
setting behind_proxy => 1;
Now, request->scheme() (which is what request->secure() uses to check whether the request was HTTP or HTTPS) will look at X_FORWARDED_PROTOCOL or HTTP_FORWARDED_PROTO from the env, which should be set by the proxy server (Nginx in your case).
Take a look at https://github.com/sukria/Dancer/pull/512 where this feature was implemented for more details.
This is helpful, thank you. If the logic for having plack/psgi apps behind a proxy is already handled in Plack::Middleware::ReverseProxy, why is this happening again in Dancer? Is there an intention for Dancer app developers to use Plack::Middleware modules or have all the "important" ones recreated inside Dancer? Is there an advantage to using behind_proxy => 1 vs. using Plack::Middleware::ReverseProxy directly? It looks like all the middleware does is reset some environment variables so the Dancer app will think it's being run directly.
And as for:
My understanding is that the connection between the user and the nginx is secure, but nginx decrypts everything before forwarding to my dancer app right? Is this a security risk?
Your understanding is correct, but assuming that your Dancer app and Nginx are on the same box, it's only a security risk if an attacker has access to that box; in which case, you've already lost.
It would become an issue if your Dancer app was running on another box and you couldn't trust the network between that box and the box running Nginx.
Cheers
Dave P
-- David Precious ("bigpresh") http://www.preshweb.co.uk/
"Programming is like sex. One mistake and you have to support it for the rest of your life". (Michael Sinz)
On Tuesday 31 May 2011 17:24:55 Brian E. Lozier wrote:
This is helpful, thank you. If the logic for having plack/psgi apps behind a proxy is already handled in Plack::Middleware::ReverseProxy, why is this happening again in Dancer? Is there an intention for Dancer app developers to use Plack::Middleware modules or have all the "important" ones recreated inside Dancer? Is there an advantage to using behind_proxy => 1 vs. using Plack::Middleware::ReverseProxy directly? It looks like all the middleware does is reset some environment variables so the Dancer app will think it's being run directly.
It's a pretty important feature which is going to be required by some people, and some people could object to installing additional modules to make it work. Feel free to use Plack::Middleware::ReverseProxy instead though if you're happy to install it :) Cheers Dave P -- David Precious ("bigpresh") http://www.preshweb.co.uk/ "Programming is like sex. One mistake and you have to support it for the rest of your life". (Michael Sinz)
participants (3)
-
Brian E. Lozier -
David Precious -
franck