Page MenuHomePhabricator
Differential D15856

Fix protocol serve detection for clustered repositories that terminate HTTPS
ClosedPublic
Actions

Authored by epriestley on May 5 2016, 11:19 PM.
Tags
None
Referenced Files
F14062930: D15856.diff
Mon, Nov 18, 3:33 PM
F14054712: D15856.id38197.diff
Sat, Nov 16, 4:14 AM
F14047318: D15856.diff
Thu, Nov 14, 3:29 AM
F14035081: D15856.diff
Sun, Nov 10, 4:01 AM
F14021480: D15856.diff
Wed, Nov 6, 9:13 AM
F13999776: D15856.id38197.diff
Thu, Oct 24, 5:09 PM
F13998720: D15856.id38197.diff
Thu, Oct 24, 10:52 AM
F13992251: D15856.id38198.diff
Tue, Oct 22, 3:27 PM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T10927: Can't load data from reposorities: 403
Commits
rPfde02c4b4edf: Fix protocol serve detection for clustered repositories that terminate HTTPS
Summary

Ref T10927. Pretty sure the issue is:

  • User makes an HTTPS request.
  • Load balancer terminates it, but with an X-Forwarded-Proto header.
  • secure001 (or whatever; acting as web host) proxies it to secure002 (or whatever; acting as a repository host). This connection is plain HTTP.
  • Since this proxied connection is plain HTTP, we check if the repository can serve over "http", but it can't: only "https". So we fail incorrectly, even though the original user request was HTTPS.

In the long run we should probably forward the X-Forwarded-Proto header, but that has some weird implications and it's broadly fine to allow either protocol to serve as long as the other one is active: configuration like security.require-https is already stronger than these settings.

Test Plan

This is likely only observable in production, but normal cloning still works locally.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 38197.May 5 2016, 11:19 PM
epriestley retitled this revision from to Fix protocol serve detection for clustered repositories that terminate HTTPS.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley added a task: T10927: Can't load data from reposorities: 403.
chad accepted this revision.May 5 2016, 11:23 PM
chad edited edge metadata.
This revision is now accepted and ready to land.May 5 2016, 11:23 PM
Closed by commit rPfde02c4b4edf: Fix protocol serve detection for clustered repositories that terminate HTTPS (authored by epriestley, committed by epriestley). · Explain WhyMay 5 2016, 11:25 PM
This revision was automatically updated to reflect the committed changes.
epriestley mentioned this in T10927: Can't load data from reposorities: 403.May 5 2016, 11:48 PM
epriestley mentioned this in T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.May 8 2016, 4:05 PM

Revision Contents
Changeset List

PathSize
src/
applications/
diffusion/
controller/
23 lines

Diff 38198

View Options

src/applications/diffusion/controller/DiffusionServeController.php

Loading...
Phabricator · Built by Phacility