Closed Bug 860567 Opened 13 years ago Closed 13 years ago

Send "X-Forwarded-Proto: https" header for popcorn.wm.o

Categories

(Webmaker Graveyard :: DevOps, defect)

Product:
Webmaker Graveyard
Component:
DevOps
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jon, Assigned: jon)

Details

This will improve security for cookies, as it will prevent cookies from being sent over http. According to some googling, this has been enabled on ELBs for awhile, but it doesn't seem to get set when hitting https://popcorn.webmaker.org with curl. http://aws.amazon.com/releasenotes/7778622769836370
Something to look at some point, now that I know how to create ELBs
Assignee: nobody → jon
Status: NEW → ASSIGNED
Alright, so the ELB is totally doing the right thing: 10.193.217.201 - - [Sat, 04 May 2013 22:09:05 GMT] "HEAD / HTTP/1.1" 200 2 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5" { host: 'mywebmaker.org', accept: '*/*', 'user-agent': 'curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5', 'x-forwarded-for': '184.175.12.75', 'x-forwarded-port': '80', 'x-forwarded-proto': 'http', connection: 'keep-alive' } The problem is that we are literally not setting the 'secure' option on the cookie, like so: app.use(express.cookieSession({ secret: "asdf", cookie: { maxAge: 2678400000, secure: true }, proxy: true })); We'll just need a pref here to turn it on for each app, when they get https certs.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.