On Dec 17, 2016 5:51 PM, "Rich Morin" <rdm@cfcl.com> wrote:
On a related note, the Rack::SSL page (https://github.com/josh/rack-ssl) says that it "Redirects all 'http' requests to 'https'".  However, it says nothing about port numbers and offers no options that I can see in this area.  I'd like to understand the exact behavior I should expect from it and whether there are any ways to play with port numbers, etc.

rack-ssl isn't an official rack project. I don't know if Josh still hangs around here.

rack-ssl works by inspecting the rack environment, as specified in http://www.rubydoc.info/github/rack/rack/file/SPEC#The_Environment

Specifically it looks for (in order):

env['HTTPS'] == 'on'   # this is not part of the rack spec, iirc, it was something mongrel and/or webrick do
env['HTTP_X_FORWARDED_PROTO] == 'https'  # this is the HTTP header X-Forwarded-Proto, which is often configured to be produced by upstream proxies. Further important notes anon.
env['rack.url_scheme'] == 'https' # this is the rack standard spec for a webserver to inform an application that the request was served with https.

Port numbers would not be useful for identifying whether or not a connection is https.

You should read the code for more details of rack-ssl's operation. It's only 89 lines long.

Important notes on X-Forwaded-Proto:

rack-ssl is not safe for use without an upstream proxy that always overwrites or sets X-Forwarded-Proto. Failure to prevent users from sending you this value could otherwise lead to certain rare cases of downgrade attacks on your service.

X-Forwaded-Proto while still extremely common is now a stale. RFC7239 was standardized in 2014 and defines a Forwarded-For header, the contents of which can specify this behavior. It is less used partly because it's new, and partly because it's harder to manage given that it requires more parsing. I'm also seeing a lot of cases in the wild now that the above RFC is getting talked about here and there, of people defining Forwarded-Proto instead, which is further incorrect.

In case it isn't clear, unless you make further adjustments to your server, using rack-ssl with the server from your gist is not safe.

HTH


-r

--

---
You received this message because you are subscribed to the Google Groups "Rack Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rack-devel+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "Rack Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rack-devel+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.