Page MenuHomePhabricator

Don't apply `security.require-https` to intracluster requests

Authored by epriestley on Apr 13 2016, 1:17 PM.
Referenced Files
Unknown Object (File)
Sat, Aug 13, 7:41 PM
Unknown Object (File)
Sat, Aug 13, 4:00 PM
Unknown Object (File)
Sun, Aug 7, 6:15 AM
Unknown Object (File)
Sat, Aug 6, 3:05 PM
Unknown Object (File)
Sat, Aug 6, 11:53 AM
Unknown Object (File)
Thu, Aug 4, 4:00 AM
Unknown Object (File)
Sat, Jul 30, 7:58 PM
Unknown Object (File)
Thu, Jul 28, 9:47 PM



Ref T10784. Currently, if you terminate SSL at a load balancer (very common) and use HTTP beyond that, you have to fiddle with this setting in your premable or a SiteConfig.

On the balance I think this makes stuff much harder to configure without any real security benefit, so don't apply this option to intracluster requests.

Also document a lot of stuff.

Test Plan

Poked around locally but this is hard to test outside of a production cluster, I'll vet it more thoroughly on secure.

Diff Detail

rP Phabricator
Lint Not Applicable
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Don't apply `security.require-https` to intracluster requests.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
chad added inline comments.

accessing? or access to?

This revision is now accepted and ready to land.Apr 13 2016, 4:28 PM
epriestley edited edge metadata.
  • Add missing "access to".
This revision was automatically updated to reflect the committed changes.