From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Status: No, score=-3.4 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from mail-yb0-f186.google.com (mail-yb0-f186.google.com [209.85.213.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C14A11FF40 for ; Sun, 18 Dec 2016 07:01:31 +0000 (UTC) Received: by mail-yb0-f186.google.com with SMTP id d128sf692542ybh.1 for ; Sat, 17 Dec 2016 23:01:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:in-reply-to:references:from:date:message-id :subject:to:x-original-sender:x-original-authentication-results :reply-to:precedence:mailing-list:list-id:x-spam-checked-in-group :list-post:list-help:list-archive:list-subscribe:list-unsubscribe; bh=+Mk9tBaucFu/R5IyNCqMKD1SLh8ut+d5o1YBcZuSg8Y=; b=oR1RzXyLysC2G/MKQCGlW9XSSLF0OyKPGvNRxpVeBAHBzVuQcRvWdCkYaFAQimwZla XdEv/6ZXZPPkAAHRdE+2QZm+Uxpm50f1gBv8YH3uUTX5umCnM6kHs/j39sXKbZMfhWIR WVCuweAMTv6plXz9ZpJwdCQSmRS7Lu5d7MBas+Dt7zq6u3ledYfWDIG9zU9zASV9Hg44 y0WvN1J2aEQNvXde38N1AVpoPQd6W+F6JIQQDf36ngRu8GJm9+lAqMmBDwtwkSdukVbx CdTe+QKRjZDl0tqisQ1YOMAwvrB6gUOx5Iu4AMFIhmjKM5W4vbpjjBNz/QO7w7FS2RAz sa0Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=+Mk9tBaucFu/R5IyNCqMKD1SLh8ut+d5o1YBcZuSg8Y=; b=tMETs4kS0xqUe7TcxQF1+dsCIeJH1ZkZsenYdWuxOaCsF1kyFUXda7soGQD53km1W2 0+9crtaSWkA4jEiqhqjkp6EoH+fWGkX1l3dh9HJrTey5ZjPLFj7g7vEq7Oizq4qDOSVw m9Kyso4KXXIbC66A8FBwy/j3ZROFyh2GdiF7bmilHhANl/D7FolM1gi4OSkif0xiyiVk PwLkhCN81axTfOSRul3ejnykaMauAQ6vP06r4Bxpl57i/wRE/nZaAi/cdycH3ZFZhkP7 R7MAqvR54BjYHffx26M4Uy63i94MJXt1srQVIspkqkl1Bk3NtQO+ntHucO1Dre4Fo2Qh Hflw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:in-reply-to:references:from :date:message-id:subject:to:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=+Mk9tBaucFu/R5IyNCqMKD1SLh8ut+d5o1YBcZuSg8Y=; b=AuU39Pu3qXcNtFVbrT2NZ6yMlonxlcqSp7xl/Kc1T1J5UHyoCSKipx+9DftfD1d3Bw YCY3+4GLS1/RaNuKX2gsBbpdQjxBu07OmP2VYrffLWvCRuzSWUvgMQEjNLlvCikt+GdH k2Mi/RTUDHQdXxnUvxterN6rR/PgW8/LHwspzQKO6vfcbF/B/JCt0r0NqybV2ecQxq27 aRUcfG4kvZAOltm19nRAV51hIkszOvpMVOXexOQ2Cppi36bQO37nXV0DWD/mzcSMkIvg V7MWWTwQIJPs+nXB7oB+ek6/ZYA2XwTFLsOdtHRjgIxFxGGqOrkpg8CgI10exzMR2zyb UyKg== Sender: rack-devel@googlegroups.com X-Gm-Message-State: AKaTC02liPNIIW168r9H4JuF6mbuVvQqPNsgcxGF84lTnhoeqPdrYT07I/uBrL73bvnyaA== X-Received: by 10.36.19.195 with SMTP id 186mr480863itz.4.1482044490739; Sat, 17 Dec 2016 23:01:30 -0800 (PST) X-BeenThere: rack-devel@googlegroups.com Received: by 10.107.50.81 with SMTP id y78ls3209671ioy.7.gmail; Sat, 17 Dec 2016 23:01:30 -0800 (PST) X-Received: by 10.107.41.13 with SMTP id p13mr2465026iop.60.1482044490319; Sat, 17 Dec 2016 23:01:30 -0800 (PST) Received: from mail-io0-x243.google.com (mail-io0-x243.google.com. [2607:f8b0:4001:c06::243]) by gmr-mx.google.com with ESMTPS id j63si1104397ita.1.2016.12.17.23.01.30 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Dec 2016 23:01:30 -0800 (PST) Received-SPF: pass (google.com: domain of jftucker@gmail.com designates 2607:f8b0:4001:c06::243 as permitted sender) client-ip=2607:f8b0:4001:c06::243; Received: by mail-io0-x243.google.com with SMTP id b194so16078188ioa.3 for ; Sat, 17 Dec 2016 23:01:30 -0800 (PST) X-Received: by 10.107.18.39 with SMTP id a39mr9632495ioj.45.1482044489867; Sat, 17 Dec 2016 23:01:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.30.14 with HTTP; Sat, 17 Dec 2016 23:01:29 -0800 (PST) In-Reply-To: <90b53576-5f1c-4c6b-892e-cdbc919796b7@googlegroups.com> References: <90b53576-5f1c-4c6b-892e-cdbc919796b7@googlegroups.com> From: James Tucker Date: Sat, 17 Dec 2016 23:01:29 -0800 Message-ID: Subject: Re: newby issue with rack-ssl gem To: Rack Development Content-Type: multipart/alternative; boundary=001a113ff17c5c26890543e95fe3 X-Original-Sender: jftucker@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com; spf=pass (google.com: domain of jftucker@gmail.com designates 2607:f8b0:4001:c06::243 as permitted sender) smtp.mailfrom=jftucker@gmail.com; dmarc=pass (p=NONE dis=NONE) header.from=gmail.com Reply-To: rack-devel@googlegroups.com Precedence: list Mailing-list: list rack-devel@googlegroups.com; contact rack-devel+owners@googlegroups.com List-ID: X-Google-Group-Id: 486215384060 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , --001a113ff17c5c26890543e95fe3 Content-Type: text/plain; charset=UTF-8 On Dec 17, 2016 5:51 PM, "Rich Morin" wrote: > On a related note, the Rack::SSL page (https://github.com/josh/rack-ssl) > says that it "Redirects all 'http' requests to 'https'". However, it > says nothing about port numbers and offers no options that I can see in > this area. I'd like to understand the exact behavior I *should* expect > from it and whether there are any ways to play with port numbers, etc. > rack-ssl isn't an official rack project. I don't know if Josh still hangs around here. rack-ssl works by inspecting the rack environment, as specified in http://www.rubydoc.info/github/rack/rack/file/SPEC#The_Environment Specifically it looks for (in order): env['HTTPS'] == 'on' # this is not part of the rack spec, iirc, it was something mongrel and/or webrick do env['HTTP_X_FORWARDED_PROTO] == 'https' # this is the HTTP header X-Forwarded-Proto, which is often configured to be produced by upstream proxies. Further important notes anon. env['rack.url_scheme'] == 'https' # this is the rack standard spec for a webserver to inform an application that the request was served with https. Port numbers would not be useful for identifying whether or not a connection is https. You should read the code for more details of rack-ssl's operation. It's only 89 lines long. Important notes on X-Forwaded-Proto: rack-ssl is not safe for use without an upstream proxy that always overwrites or sets X-Forwarded-Proto. Failure to prevent users from sending you this value could otherwise lead to certain rare cases of downgrade attacks on your service. X-Forwaded-Proto while still extremely common is now a stale. RFC7239 was standardized in 2014 and defines a Forwarded-For header, the contents of which can specify this behavior. It is less used partly because it's new, and partly because it's harder to manage given that it requires more parsing. I'm also seeing a lot of cases in the wild now that the above RFC is getting talked about here and there, of people defining Forwarded-Proto instead, which is further incorrect. *In case it isn't clear, unless you make further adjustments to your server, using rack-ssl with the server from your gist is not safe.* HTH > -r > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Rack Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rack-devel+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "Rack Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to rack-devel+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout. --001a113ff17c5c26890543e95fe3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Dec 17, 2016 5:51 PM, "Rich Morin" <= ;rdm@cfcl.com> wro= te:
On a related note, the Rack::SSL page (https://github.com/josh/rack= -ssl) says that it "Redirects all 'http' reques= ts to 'https'".=C2=A0 However, it says nothing about port numb= ers and offers no options that I can see in this area.=C2=A0 I'd like t= o understand the exact behavior I should expect from it and whether = there are any ways to play with=C2=A0port numbers, etc.<= /span>

rack-ssl isn't an official= rack project. I don't know if Josh still hangs around here.
=
rack-ssl works by inspecting the rack environment, as specif= ied in=C2=A0http://www.rubydoc.info/github/rack/rack/file/SPEC#The_Envi= ronment

Specifically it looks for (in order):<= /div>

env['HTTPS'] =3D=3D 'on' =C2=A0 # = this is not part of the rack spec, iirc, it was something mongrel and/or we= brick do
env['HTTP_X_FORWARDED_PROTO] =3D=3D 'https' = =C2=A0# this is the HTTP header X-Forwarded-Proto, which is often configure= d to be produced by upstream proxies. Further important notes anon.
env['rack.url_scheme'] =3D=3D 'https' # this is the rack= standard spec for a webserver to inform an application that the request wa= s served with https.

Port numbers would not be use= ful for identifying whether or not a connection is https.

You should read the code for more details of rack-ssl's operati= on. It's only 89 lines long.

Important notes o= n X-Forwaded-Proto:

rack-ssl is not safe for use w= ithout an upstream proxy that always overwrites or sets X-Forwarded-Proto. = Failure to prevent users from sending you this value could otherwise lead t= o certain rare cases of downgrade attacks on your service.

X-Forwaded-Proto while still extremely common is now a stale.=C2= =A0RFC7239 was standardized in 2014 and defines a Forwarded-For header, the= contents of which can specify this behavior. It is less used partly becaus= e it's new, and partly because it's harder to manage given that it = requires more parsing. I'm also seeing a lot of cases in the wild now t= hat the above RFC is getting talked about here and there, of people definin= g Forwarded-Proto instead, which is further incorrect.

=
In case it isn't clear, unless you make further adjustments to = your server, using rack-ssl with the server from your gist is not safe.=

HTH


<= span style=3D"color:rgb(51,51,51);font-family:-apple-system,blinkmacsystemf= ont,"segoe ui",helvetica,arial,sans-serif,"apple color emoji= ","segoe ui emoji","segoe ui symbol";font-size:sma= ll">-r

--

---
You received this message because you are subscribed to the Google Groups &= quot;Rack Development" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to rack-devel+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups &= quot;Rack Development" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to rack-dev= el+unsubscribe@googlegroups.com.
For more options, visit http= s://groups.google.com/d/optout.
--001a113ff17c5c26890543e95fe3--