SSO with Auth_Request

2016-08-22 Thread Jason Tuck
Hi All,   I'm trying to implement SSO similar to this:  https://developers.shopware.com/blog/2015/03/02/sso-with-nginx-authrequest-module/  however I am using node/passport/azure-ad for my authentication service.  The issue I am running into is - how do I get the originally requested route /app1

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 8:23 PM, Richard Stanway wrote: > See https://nginx.org/en/linux_packages.html#stable > > PGP key links are hard coded to http URLs: > > > For Debian/Ubuntu, in order to authenticate the nginx repository > signature > and to eliminate warnings about missing PGP key during installation

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
See https://nginx.org/en/linux_packages.html#stable PGP key links are hard coded to http URLs: For Debian/Ubuntu, in order to authenticate the nginx repository signature and to eliminate warnings about missing PGP key during installation of the nginx package, it is necessary to add the key used

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 8:15 PM, Richard Stanway wrote: > Could you at least fix the https download page, so it doesn't > directly link to a HTTP PGP key? > It works correctly: https://nginx.org/en/download.html > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov > wrote: > > On 8

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
Could you at least fix the https download page, so it doesn't directly link to a HTTP PGP key? On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov wrote: > On 8/22/16 7:41 PM, B.R. wrote: > > The problem is, if the GPG key is served through HTTP, there is no > > way to authenticate it, since it cou

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 7:41 PM, B.R. wrote: > The problem is, if the GPG key is served through HTTP, there is no > way to authenticate it, since it could be compromised through MITM. > I am very surprised to see myself being qualified as 'HTTPS despot' > when I just spot the obvious. > But it does not -- our

Re: No HTTPS on nginx.org by default

2016-08-22 Thread B.R.
The problem is, if the GPG key is served through HTTP, there is no way to authenticate it, since it could be compromised through MITM. I am very surprised to see myself being qualified as 'HTTPS despot' when I just spot the obvious. Compromised repository + GPG key is one very powerful way of impe

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Dewangga Bachrul Alam
Hello! On 08/22/2016 10:58 PM, rai...@ultra-secure.de wrote: > > nginx doesn't provide an auto-update mechanism that stupidly downloads > and accepts all and everything somebody makes available under some > spoofed address. You can use PGP key[1] to verified the binary was correct or "injected"

Re: No HTTPS on nginx.org by default

2016-08-22 Thread rainer
Am 2016-08-22 17:44, schrieb Maxim Konovalov: On 8/22/16 6:40 PM, Richard Stanway wrote: 1. You could provide insecure.nginx.org mirror for such people, make nginx.org secure by default. No, thanks. It is secure by default and HTTPS by default do

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 6:40 PM, Richard Stanway wrote: > 1. You could provide insecure.nginx.org > mirror for such people, make nginx.org secure by > default. > No, thanks. It is secure by default and HTTPS by default doesn't add any value. > 2. Modern server C

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
1. You could provide insecure.nginx.org mirror for such people, make nginx.org secure by default. 2. Modern server CPUs are already extremely energy efficient, TLS adds negligible load. See https://istlsfastyet.com/ On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev wrote: > On Sunday 21

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Valentin V. Bartenev
On Sunday 21 August 2016 15:56:09 B.R. wrote: > It is surprising, since I remember Ilya Grigorik made a talk about TLS > during the first ever nginx conf in 2014: > https://www.youtube.com/watch?v=iHxD-G0YjiU > https://istlsfastyet.com/ It's just Ilya's opinion. You are free to agree or not. >

Re: Slow read attack in HTTP/2

2016-08-22 Thread Valentin V. Bartenev
On Monday 22 August 2016 12:40:46 Sharan J wrote: > Hi, > > The scenario which I mentioned was only tested and reported by imperva and > Nginx has said that they have solved this slow read issue. > References: > http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf > https://www.nginx.com/blog/the-imp

Re: Slow read attack in HTTP/2

2016-08-22 Thread Sharan J
Hi, The scenario which I mentioned was only tested and reported by imperva and Nginx has said that they have solved this slow read issue. References: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ But as you say, the