When testing the python reg server, I noticed that the reset password link was broken. For instance: http://stage-auth.services.mozilla.com/weave-password-reset?username=ktgxfbguqpkwbwjh7ixuyiwr64h54czz&key=4RNI-BIWL-1G1M-WZ0R Staging uses https://, and there's no config option about whether this URL is http or https.
We traced this into the code and it turns out that the reg server is using the URI scheme provided by gunicorn, which is "http". The gunicorn source code wants the header "X-Forwarded-Protocol: ssl", and when we set it in the nginx config, that fixes this issue for *all* gunicorn applications. I have updated the nginx config and pushed the fix to staging reg/sreg/setup and production setup. Confirmed the staging reg email is now https:// as expected, which resolves this specific issue. I will file a separate ticket to test adding XFP: ssl in Zeus, so we can fix this at the point where we are converting https:// to http://.
Assignee: tarek → rsoderberg
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Component: Server: Registration → Operations
QA Contact: reg-server → operations
Resolution: --- → FIXED
The specific nginx config update is: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol ssl; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://unix:/tmp/gunicorn-keyexchange.sock;
You need to log in before you can comment on or make changes to this bug.