Am 07.01.2017 um 17:04 schrieb Jered Floyd:
Does the "sslheaders" experimental plugin meet your needs?
https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/sslheaders.en.html
not really beause it's not transparent to the application and so i can
continue fake the $_SERVER vars based on application configs - it also
needs to make sure that this headers never ever are passed through from
untrusted amchines in front fo the own proxy or faked by clients
pointing directly to the origin - the way mod_remoteip works takes cae
of such things
"end-to-end" don't matter when both ATS and httpd are on the same switch
or even running on the same vritualization host - what matters much more
is that your applications is aware about the https fact and set the
*encryption flag for cookies* as example
the fake-by-configuration hacking makes things just more complex because
you have one more place to care besides DNS, ATS and httpd and the
Magento hacks placing $_SERVER['xyz'] into 'index.php' are anything but
not beautiful
well, and for sites which should be reachable with https *and* http you
can forget this entirely when don't have any clue
----- On Jan 7, 2017, at 3:30 AM, Reindl Harald h.rei...@thelounge.net wrote:
* Apache Trafficserver in front
* ATS configured for TLS-offloading
* connection to backend-httpd on the LAN unencrypted
* mod_remoteip correctly configured on backend httpd
is there any way to make the backend php application aware that in fact
$_SERVER['HTTPS'] and $_SERVER['REQUEST_SCHEME'] should be 'on' /
https:// in case of generate absolute URLs like for emails
in a perfect world this would be handeled like the transparent
translation of the client IP with
https://httpd.apache.org/docs/current/mod/mod_remoteip.html and it's
RemoteIPInternalProxy and a header like "X-Forwarded-TLS"
something like below where "X-TLS-Offloading" is only evaluated from
"RemoteIPInternalProxy" pyhsical addressess
RemoteIPHeader X-Forwarded-For
RemoteTLSHeader X-TLS-Offloading
RemoteIPInternalProxy 192.168.196.1
