HomePhabricator

Don't apply `security.require-https` to intracluster requests

Description

Don't apply security.require-https to intracluster requests

Summary:
Ref T10784. Currently, if you terminate SSL at a load balancer (very common) and use HTTP beyond that, you have to fiddle with this setting in your premable or a SiteConfig.

On the balance I think this makes stuff much harder to configure without any real security benefit, so don't apply this option to intracluster requests.

Also document a lot of stuff.

Test Plan: Poked around locally but this is hard to test outside of a production cluster, I'll vet it more thoroughly on secure.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10784

Differential Revision: https://secure.phabricator.com/D15696

Details

Provenance
epriestleyAuthored on Apr 13 2016, 12:52 PM
epriestleyPushed on Apr 13 2016, 7:51 PM
Reviewer
chad
Differential Revision
D15696: Don't apply `security.require-https` to intracluster requests
Parents
rP99be132ea21e: Allow public users to make intracluster API requests
Branches
Unknown
Tags
Unknown
Tasks
T10784: Deploy secure002.phacility.net
Build Status
Buildable 11700
Build 14653: Run Core Tests