Item14181: Another try at SSL behind a proxy

Turns out the browsers always set HTTP_UPGRADE_INSECURE_REQUESTS, so that can't be used. Last resort, set a query param of SSL=1, to give bootstrap a hint that it needs to be using SSL URLs. I can't find any other way to handle this. The proxy completely hides that it is using SSL to the client.
foswiki · Dec 15, 2016 · be6f04c · be6f04c
1 parent f029cce
commit be6f04c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/core/data/System/InstallationGuide.txt b/core/data/System/InstallationGuide.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1461596274" format="1.1"  version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1481826890" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="AdminDocumentationCategory"}%
 <noautolink>
 ---+!! Installation Guide
@@ -41,6 +41,11 @@ Here's the quick version of the instructions, for *those that are already comfor
    1 Follow the link in the Bootstrap banner of the returned page to the bin/configure tool, address any warnings and save your configuration.
    1 Return from configure (button at top of page), and register your first user.
 
+<div class='foswikiHelp'>Note: If you are using SSL (=https<nop>://=), and access Foswiki via a proxy server, you may need to give bootstrap a "hint" that SSL is in use. Add
+=SSL=1= to the URL,  eg: =https<nop>://yoursite.com?SSL=1=.  From there, bootstrap should function correctly.  You only need to do this if the initial view screen displays without any
+styling and the links on the page point to non-SSL =http= locations.
+</div>
+
 That's it! You Foswiki should now be installed. Browse to =/bin/view= and start editing!
 
 At some point, you will want to re-visit [[#ConfigureFoswiki][Configuring Foswiki]] to enable out-going emails, create administrators and properly secure your installation.

diff --git a/core/lib/Foswiki/Configure/Bootstrap.pm b/core/lib/Foswiki/Configure/Bootstrap.pm
@@ -450,7 +450,7 @@ sub bootstrapWebSettings {
 # Detect if HTTPS in use.  Browsers appear to set the UPGRADE flag, and the json requests
 # for configure all come in with a https referer.
         if (
-            $ENV{HTTP_UPGRADE_INSECURE_REQUESTS}
+            ( $ENV{QUERY_STRING} && $ENV{QUERY_STRING} =~ m/\bSSL=1\b/i )
             || (   $ENV{HTTP_REFERER}
                 && $ENV{HTTP_REFERER} =~
                 m#^https://\Q$ENV{HTTP_X_FORWARDED_HOST}\E# )

diff --git a/core/lib/Foswiki/Configure/Checkers/DefaultUrlHost.pm b/core/lib/Foswiki/Configure/Checkers/DefaultUrlHost.pm
@@ -31,10 +31,11 @@ sub check_current_value {
         $host = $ENV{HTTP_X_FORWARDED_HOST};
 
         if (
-            $ENV{HTTP_UPGRADE_INSECURE_REQUESTS}
-            || (   $ENV{HTTP_REFERER}
+            (
+                   $ENV{HTTP_REFERER}
                 && $ENV{HTTP_REFERER} =~
-                m#^https://\Q$ENV{HTTP_X_FORWARDED_HOST}\E#i )
+                m#^https://\Q$ENV{HTTP_X_FORWARDED_HOST}\E#i
+            )
           )
         {
             # Browser is asking for https, so override protcol
@@ -43,7 +44,8 @@ sub check_current_value {
     }
 
     if ( $host && $Foswiki::cfg{DefaultUrlHost} !~ m#$protocol://$host#i ) {
-        $reporter->WARN( 'Current setting does not match HTTP_HOST ', $host );
+        $reporter->WARN(
+            "Current setting does not match URL =$protocol://$host=");
         $reporter->NOTE(
                 'If the URL hostname is correct, set this to =http://'
               . $host