[Catalyst] Catalyst Redirect to https

You can use Catalyst::Plugin::RequireSSL to force https.

Although I think https should be used by your method if that's what the
user access the app with.


Christiaan



Octavian Rasnita schreef:

Hi,

Sorry but I haven't provided the correct information.
The problem is that I use a load balancer (Apache mod_proxy_balancer) and it gets the https request, however it passes the request to the backend Apache - mod_perl based servers using http.

How do you do $c->res->redirect in cases like this?

The front end server listens to the ports 80 and 443 and the back end servers to the ports 81 and 82 (they are on the same machine for the moment).

The back end servers don't know if the current request is an http or an https one and on each redirect, they do the redirection using the http scheme.
(I have also set the configuration option using_frontend_proxy to true.)


Also, because the back end servers receive only http requests, $c->req->secure is always equal to 0.
I have read that I can set the HTTPS environment variable to "On" and I put the following line in the configuration file of the load balancer Apache server in the virtualhost that handles SSL requests:

SetEnv HTTPS On

But nothing changes and $c->req->secure is still equal to 0, and the redirects are still done using the https scheme, so I am doing something wrong for sure.

Do I need to have special virtualhosts on the back end servers that handle the requests that came using https and set the HTTPS environment variable on those virtualhosts? Or how can I let the Catalyst app know if the requests to the load balancer were using https?

Please tell me what should I do or where can I find more information about using a load balancer with https and Catalyst.

Thanks.

Octavian

From: "Christiaan Kras" <[email protected]>

--------------------------------------------------------------------------------

2010/3/25 Octavian Rasnita <[email protected]>
Does that header get to Catalyst? Obviously, check that first.

I have this in a "after 'prepare_headers'":

$res->secure( 1 ) if lc( $req->header( 'Https' ) || '' ) eq 'on';

The load balancer sends all traffic to the same port. The load balancer
sets that header for SSL traffic.

I used to send to two different ports and then detect SSL based on the port
number. Same result either way.

From: Bill Moseley
> >
> >

I didn't know that HTTPS should be an HTTP header and not an environment variable so I have also added as a header.

I have put in the configuration file of the back end servers (to be sure that it will reach the app):

SetEnv HTTPS On

and in the configuration file of the load balancer server:

RequestHeader set HTTPS On

And in a test action I have done:

my $body;
$body .= "HTTPS environment variable: $ENV{HTTPS}<br />\n";
$body .= "HTTPS header: " . $c->req->header('HTTPS') . "<br />\n";
$body .= "secure: " . $c->req->secure . "<br />\n";;
$c->req->secure(1); #Force it to be true
$body .= "secure: " . $c->req->secure . "<br />\n"; # Check if it is set correctly
$body .= "uri_for_action: " . $c->uri_for_action('/user/login2') . "<br />\n";
$c->res->body($body);

And the result is:

HTTPS environment variable: On
HTTPS header: On
secure: 0
secure: 1
uri_for_action: http://site.testsite.com:5555/en/user/login2

So it seems that both the environment variable HTTPS and the header HTTPS are seen by Catalyst, but $c->req->secure is still equal to 0.

Do I need to add a certain plugin in order to be able to use $c->req->secure or what could be the problem that it is not set correctly?

I have read in Catalyst::Request:

"the URI scheme (eg., http vs. https) must be determined through heuristics; depending on your server configuration, it may be incorrect. See $req->secure for more info."

And more info:
"Note that the URI scheme (eg., http vs. https) must be determined through heuristics, and therefore the reliablity of $req->secure will depend on your server configuration. If you are serving secure pages on the standard SSL port (443) and/or setting the HTTPS environment variable, $req->secure should be valid."

I am accessing the site using SSL by the 5555 port so I need the HTTPS environment variable (or HTTP header) but I don't know why $c->req->secure is still not set.

And finally, even though I forced $c->req->secure to be true, $c->uri_for_action still uses the http scheme and not https so in the entire application the redirects won't be done correctly and this is the big problem.

Thanks.


Octavian

Try with

if (lc($c->req->headers()->{'x-https'}) eq 'on'){
my $uri = $c->req->base();
$uri->scheme("https");
$c->req->base($uri);
}

Note: I set X-Https header on the apache with

RequestHeader set X-Https "%{HTTPS}e"

works for me...

Jose Luis Martinez
[email protected]

were setting a header in your load balancer. Obviously, the front-end web
server's environment is not shared with the back-end's environment.

You have the front-end load balancer add a header to SSL requests when being
proxied to the backend. Then the backend looks for the this header and, if
set, sets $c->req->secure(1);

You just need some way for the front-end to tell you which requests are SSL
on the front end. As mentioned, another approach is to use two different
ports on the backend.


You need to set $request->secure(1) earlier in the request so that when
$base is created it has the correct scheme.

Here's a simple example application:

$ cat lib/ssl.pm lib/ssl/Controller/Root.pm
package ssl;
use Moose;
use namespace::autoclean -except => 'meta';
extends 'Catalyst';

__PACKAGE__->setup();

after 'prepare_headers' => sub {
my $self = shift;
$self->req->secure( $ENV{SSL} );
};

1;


package ssl::Controller::Root;
use Moose;
use namespace::autoclean -except => 'meta';
BEGIN { extends 'Catalyst::Controller' }
__PACKAGE__->config->{namespace} = '';

sub hello : Local {
my ( $self, $c ) = @_;
$c->res->body( $c->uri_for( '/hello' ) );
};

1;


~/ssl$ script/ssl_test.pl /hello
http://localhost/hello

~/ssl$ SSL=1 script/ssl_test.pl /hello
https://localhost/hello


Don't get confused by that example where I'm checking $ENV. You will want
to check a request header (or port) as that's how the front-end can
communicate with the back-end.

Note that Catalyst::Apache::Engine will check for $ENV{HTTPS} is "ON" but
for that to happen you would have to do something like $ENV{HTTPS} =
$c->req->headers( 'HTTPS' ) very early in the request (or get Apache to set
it based on the request header.

I find it easier to just explicitly set secure(1) based on a header (or
port).