From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 5A7CC1F8C6; Fri, 6 Aug 2021 20:41:32 +0000 (UTC) Date: Fri, 6 Aug 2021 20:41:32 +0000 From: Eric Wong To: Leah Neukirchen Cc: meta@public-inbox.org Subject: Re: WwwAttach::referer_match and HTTPS Message-ID: <20210806204132.GB25682@dcvr> References: <87h7g2aa6z.fsf@vuxu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87h7g2aa6z.fsf@vuxu.org> List-Id: Leah Neukirchen wrote: > Hi, > > I noticed that referer_match in lib/PublicInbox/WwwAttach.pm always > fails over HTTPS on my setup as psgi.url_scheme is set to 'http' in > lib/PublicInbox/HTTPD.pm but I have a HTTPS-terminating proxy in front, > so the referer starts with "https://" > (public-inbox-1.6.1 but same in HEAD afaics.) > > Did I forget to set anything, or should referer_match just accept both > http and https? Hmm, yes, probably it should unconditionally accept /\Ahttps?/i iff psgi.url_scheme eq 'http' given the way common configs are. psgi.url_scheme seems inconsistent and difficult to rely on with so many possible forwarding proxies and configurations. There's the Forwarded: (RFC 7239) header nowadays, and X-Forwarded-* before, though I suspect X-Forwarded-* remains widely in use.