From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Status: No, score=-3.1 required=3.0 tests=AWL,BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 354B91F8C7 for ; Fri, 6 Aug 2021 20:50:58 +0000 (UTC) Received: by mail-wr1-f48.google.com with SMTP id d8so12591307wrm.4 for ; Fri, 06 Aug 2021 13:50:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=M8S1ixj1h8QLyA9MXXeWt8W+/25DOTA9xB85fheQO6Y=; b=CxwltFpd+wrmzS0blDf5EQSL9LyOZsgFlx9NiPRjndcoZv9g3XV4UXYIJcuDdsj1uO QG3e3m674oc7BAkacRcGqtoWh48KqUG59pTjawiHmncAWwOgi2NzY0eGu8T3juQxkXsf O0DIm6PxkiT5GNtzwuSP4DY/xwD7Uz5M9AGpvjIDrLhTAG++GYnFlYbEQLuj4eJfd6Eh r1zxx7gLAHn3jzgacjlWJxwrkGOME0X/01ajQaAxIWjGpolrHwCWeYRJswF6Q38+/dPA WLwINcep30+NZDsfaVsDRhCkkH2jrFuVyQjCcMSckD1NoCVEXBz/ieksm8qemkOSDGru WgWw== X-Gm-Message-State: AOAM531FSgWRq2lXCqbb/vmBmOTYvNPu6e1Ye/3H7IcBZPeijP9+HA5H Vuw1cn7OGd64d9qVFERuqfWIkNtzO8O8Tw== X-Google-Smtp-Source: ABdhPJxewFogMElQoXsbS560KdidItqeog9t7Scuexuu/Rq4yXO0WEexx5zlQDlh6DcaO5uOmBvl9A== X-Received: by 2002:a5d:65c1:: with SMTP id e1mr12598336wrw.320.1628283056698; Fri, 06 Aug 2021 13:50:56 -0700 (PDT) Received: from rhea.home.vuxu.org ([2a01:4f8:c010:17cd:ea6a:64ff:fe4d:ff9e]) by smtp.gmail.com with ESMTPSA id h9sm9305246wmb.35.2021.08.06.13.50.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 13:50:56 -0700 (PDT) Received: from localhost (rhea.home.vuxu.org [local]) by rhea.home.vuxu.org (OpenSMTPD) with ESMTPA id c719b2fb; Fri, 6 Aug 2021 20:50:55 +0000 (UTC) From: Leah Neukirchen To: Eric Wong Cc: meta@public-inbox.org Subject: Re: WwwAttach::referer_match and HTTPS References: <87h7g2aa6z.fsf@vuxu.org> <20210806204132.GB25682@dcvr> Date: Fri, 06 Aug 2021 22:50:55 +0200 In-Reply-To: <20210806204132.GB25682@dcvr> (Eric Wong's message of "Fri, 6 Aug 2021 20:41:32 +0000") Message-ID: <878s1e9u1c.fsf@vuxu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain List-Id: Eric Wong writes: > Leah Neukirchen wrote: >> Hi, >> >> I noticed that referer_match in lib/PublicInbox/WwwAttach.pm always >> fails over HTTPS on my setup as psgi.url_scheme is set to 'http' in >> lib/PublicInbox/HTTPD.pm but I have a HTTPS-terminating proxy in front, >> so the referer starts with "https://" >> (public-inbox-1.6.1 but same in HEAD afaics.) >> >> Did I forget to set anything, or should referer_match just accept both >> http and https? > > Hmm, yes, probably it should unconditionally accept /\Ahttps?/i > iff psgi.url_scheme eq 'http' given the way common configs are. > psgi.url_scheme seems inconsistent and difficult to rely on with > so many possible forwarding proxies and configurations. > > There's the Forwarded: (RFC 7239) header nowadays, and > X-Forwarded-* before, though I suspect X-Forwarded-* remains > widely in use. I currently set proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; but not X-Forwarded-Proto... -- Leah Neukirchen https://leahneukirchen.org