[Dancer-users] ssl questions

Brian E. Lozier brian at massassi.com
Tue May 31 18:24:55 CEST 2011


On Tue, May 31, 2011 at 9:06 AM, David Precious <davidp at preshweb.co.uk> wrote:
> On Tuesday 31 May 2011 16:26:24 franck wrote:
>> Hi Brian
>>
>> On Tue, May 31, 2011 at 5:07 PM, Brian E. Lozier <brian at massassi.com> wrote:
>> > I have set up my dancer app using plackup and behind nginx.  I have
>> > set up nginx to accept traffic on either port 80 or 443 (https,
>> > encrypted).  I want to ensure that the /login/ route is never accessed
>> > over port 80, only over https.  To do this, I think I need to have a
>> > check at the top of the route to see if SSL is on and forward to 443
>> > if not.  Then after login is completed I want to forward them back to
>> > the unencrypted area.  I've done this before under mod_perl
>> > (non-Dancer app), but I'm not quite sure how this should work in my
>> > current situation.
>> >
>> > Under mod_perl I believe I had an environment variable I could check
>> > to see if the connection was "SECURE" but now the connection is
>> > *never* secure between nginx and my dancer app right?  My
>> > understanding is that the connection between the user and the nginx is
>> > secure, but nginx decrypts everything before forwarding to my dancer
>> > app right?  Is this a security risk?
>> >
>> > I dumped Dancer::Request and didn't see anything that will allow me to
>> > find out if I'm under https.
>>
>> you can call request->secure, which returns 1 if it's using HTTPS, else 0.
>
> This is the answer; however, I need to extend the docs for request->secure, as
> they should mention the (quite new) behind_proxy setting.
>
> Basically, in your config file, add:
>
>    setting behind_proxy => 1;
>
> Now, request->scheme() (which is what request->secure() uses to check whether
> the request was HTTP or HTTPS) will look at X_FORWARDED_PROTOCOL or
> HTTP_FORWARDED_PROTO from the env, which should be set by the proxy server
> (Nginx in your case).
>
> Take a look at https://github.com/sukria/Dancer/pull/512 where this feature
> was implemented for more details.

This is helpful, thank you.  If the logic for having plack/psgi apps
behind a proxy is already handled in Plack::Middleware::ReverseProxy,
why is this happening again in Dancer?  Is there an intention for
Dancer app developers to use Plack::Middleware modules or have all the
"important" ones recreated inside Dancer?  Is there an advantage to
using behind_proxy => 1 vs. using Plack::Middleware::ReverseProxy
directly?  It looks like all the middleware does is reset some
environment variables so the Dancer app will think it's being run
directly.

>
> And as for:
>> >  My
>> > understanding is that the connection between the user and the nginx is
>> > secure, but nginx decrypts everything before forwarding to my dancer
>> > app right?  Is this a security risk?
>
> Your understanding is correct, but assuming that your Dancer app and Nginx are
> on the same box, it's only a security risk if an attacker has access to that
> box; in which case, you've already lost.
>
> It would become an issue if your Dancer app was running on another box and you
> couldn't trust the network between that box and the box running Nginx.
>
> Cheers
>
> Dave P
>
> --
> David Precious  ("bigpresh")
> http://www.preshweb.co.uk/
>
>   "Programming is like sex. One mistake and you have to support
>   it for the rest of your life". (Michael Sinz)
>


More information about the Dancer-users mailing list