On Mon, Sep 26, 2011 at 5:39 PM, Carl Meyer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/26/2011 06:16 AM, Cal Leeming [Simplicity Media Ltd] wrote:
> > Unless you can guarantee that all web application servers/load balancers
> > are going to correctly handle the header out
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/26/2011 06:16 AM, Cal Leeming [Simplicity Media Ltd] wrote:
> Unless you can guarantee that all web application servers/load balancers
> are going to correctly handle the header out of the box (i.e.
> inject/strip where necessary), then there's n
Just my two cents worth, but I think something like this is such a 'per case
basis', that it probably shouldn't be included in the core.
Unless you can guarantee that all web application servers/load balancers are
going to correctly handle the header out of the box (i.e. inject/strip where
necessa
On 26/09/11 12:45, Tom Evans wrote:
> On Sat, Sep 24, 2011 at 9:28 PM, Luke Plant wrote:
>>
>> I'm happy to be proved wrong, of course. Apache is very popular, though,
>> so if its hard in Apache, it could be said to be hard full stop.
>>
>
> RequestHeader unset X-Forwarded-Protocol
>
> Not pr
On Sat, Sep 24, 2011 at 9:28 PM, Luke Plant wrote:
>
> I'm happy to be proved wrong, of course. Apache is very popular, though,
> so if its hard in Apache, it could be said to be hard full stop.
>
RequestHeader unset X-Forwarded-Protocol
Not precisely what I'd call hard.
>From a-business-that
On 24/09/11 19:34, Carl Meyer wrote:
> On 09/24/2011 09:02 AM, Luke Plant wrote:
>> It is a tricky problem, because I don't know of any perfect solution. My
>> concern is not only that it is possible to configure incorrectly, it
>> appears to be virtually impossible to configure correctly, as it ap
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/24/2011 09:02 AM, Luke Plant wrote:
> It is a tricky problem, because I don't know of any perfect solution. My
> concern is not only that it is possible to configure incorrectly, it
> appears to be virtually impossible to configure correctly, as
On 24/09/11 01:06, Paul McMillan wrote:
> CarlJM's django-secure package [4] solves this problem by requiring
> the user to specify which header they want, if they need support for
> this.
>
> Luke's concerns about the security of this setting are extremely well
> founded. Enabling it when it is
About a year ago Luke Plant wontfixed ticket #14597, which requested
that Django add support setting for request.is_secure based on
proxy-added headers (like X-Forwarded-Protocol) when Django is served
by an HTTPS proxy [1].
Luke's reasons for closing were analogous to the
SetRemoteAddrFromForward
