[Dancer-users] ssl questions

David Precious davidp at preshweb.co.uk
Tue May 31 18:06:08 CEST 2011 

On Tuesday 31 May 2011 16:26:24 franck wrote:
> Hi Brian
> 
> On Tue, May 31, 2011 at 5:07 PM, Brian E. Lozier <brian at massassi.com> wrote:
> > I have set up my dancer app using plackup and behind nginx.  I have
> > set up nginx to accept traffic on either port 80 or 443 (https,
> > encrypted).  I want to ensure that the /login/ route is never accessed
> > over port 80, only over https.  To do this, I think I need to have a
> > check at the top of the route to see if SSL is on and forward to 443
> > if not.  Then after login is completed I want to forward them back to
> > the unencrypted area.  I've done this before under mod_perl
> > (non-Dancer app), but I'm not quite sure how this should work in my
> > current situation.
> > 
> > Under mod_perl I believe I had an environment variable I could check
> > to see if the connection was "SECURE" but now the connection is
> > *never* secure between nginx and my dancer app right?  My
> > understanding is that the connection between the user and the nginx is
> > secure, but nginx decrypts everything before forwarding to my dancer
> > app right?  Is this a security risk?
> > 
> > I dumped Dancer::Request and didn't see anything that will allow me to
> > find out if I'm under https.
> 
> you can call request->secure, which returns 1 if it's using HTTPS, else 0.

This is the answer; however, I need to extend the docs for request->secure, as 
they should mention the (quite new) behind_proxy setting.

Basically, in your config file, add:

    setting behind_proxy => 1;

Now, request->scheme() (which is what request->secure() uses to check whether 
the request was HTTP or HTTPS) will look at X_FORWARDED_PROTOCOL or 
HTTP_FORWARDED_PROTO from the env, which should be set by the proxy server 
(Nginx in your case).

Take a look at https://github.com/sukria/Dancer/pull/512 where this feature 
was implemented for more details.

And as for:
> >  My
> > understanding is that the connection between the user and the nginx is
> > secure, but nginx decrypts everything before forwarding to my dancer
> > app right?  Is this a security risk?

Your understanding is correct, but assuming that your Dancer app and Nginx are 
on the same box, it's only a security risk if an attacker has access to that 
box; in which case, you've already lost.

It would become an issue if your Dancer app was running on another box and you 
couldn't trust the network between that box and the box running Nginx.

Cheers

Dave P

-- 
David Precious  ("bigpresh")
http://www.preshweb.co.uk/

   "Programming is like sex. One mistake and you have to support
   it for the rest of your life". (Michael Sinz)

More information about the Dancer-users mailing list