kallithea Changeset - 8e26c46e9abe

Changeset - 8e26c46e9abe

Parent rev.

Child rev.

[Not reviewed]

default

0 5 0

Mads Kiilerich - 11 years ago 2014-08-12 13:08:23
madski@unity3d.com

https: introduce https_fixup config setting to enable the special https hacks

Without https_fixup, correctly configured WSGI systems work correctly.

The https_fixup middleware will only be loaded when enabled in the configuration.

5 files changed with 19 insertions and 16 deletions:

docs/setup.rst

kallithea/config/middleware.py

kallithea/lib/base.py

kallithea/lib/middleware/simplegit.py

kallithea/lib/middleware/simplehg.py

0 comments (0 inline, 0 general)

docs/setup.rst

➞

Show inline comments

@@ @@ -505,31 +505,33 @@ the config file. @@
 In order to start using celery run::
  paster celeryd <configfile.ini>
 .. note::
    Make sure you run this command from the same virtualenv, and with the same
    user that Kallithea runs.
 HTTPS support
 -------------
 There are two ways to enable https:
 Kallithea will by default generate URLs based on the WSGI environment.
 Alternatively, you can use some special configuration settings to control
 directly which scheme/protocol Kallithea will use when generating URLs:
 - Set HTTP_X_URL_SCHEME in your http server headers, than Kallithea will
   recognize this headers and make proper https redirections
 - Alternatively, change the `force_https = true` flag in the ini configuration
   to force using https, no headers are needed than to enable https
 - With `https_fixup = true`, the scheme will be taken from the HTTP_X_URL_SCHEME,
   HTTP_X_FORWARDED_SCHEME or HTTP_X_FORWARDED_PROTO HTTP header (default 'http').
 - With `force_https = true` the default will be 'https'.
 - With `use_htsts = true`, it will set Strict-Transport-Security when using https.
 Nginx virtual host example
 --------------------------
 Sample config for nginx using proxy::
     upstream rc {
         server 127.0.0.1:5000;
         # add more instances for load balancing
         #server 127.0.0.1:5001;
         #server 127.0.0.1:5002;
+    }

kallithea/config/middleware.py

➞

Show inline comments

@@ @@ -83,25 +83,26 @@ def make_app(global_conf, full_stack=Tru @@
         # need any pylons stack middleware in them
         app = SimpleHg(app, config)
         app = SimpleGit(app, config)
         app = RequestWrapper(app, config)
         # Display error documents for 401, 403, 404 status codes (and
         # 500 when debug is disabled)
         if asbool(config['debug']):
             app = StatusCodeRedirect(app)
         else:
             app = StatusCodeRedirect(app, [400, 401, 403, 404, 500])
     #enable https redirets based on HTTP_X_URL_SCHEME set by proxy
     app = HttpsFixup(app, config)
     if any(asbool(config.get(x)) for x in ['https_fixup', 'force_ssl', 'use_htsts']):
         app = HttpsFixup(app, config)
     # Establish the Registry for this application
     app = RegistryManager(app)
     if asbool(static_files):
         # Serve static files
         static_app = StaticURLParser(config['pylons.paths']['static_files'])
         app = Cascade([static_app, app])
         app = make_gzip_middleware(app, global_conf, compress_level=1)
     app.config = config

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -204,36 +204,36 @@ class BaseVCSController(object): @@
             #any other action need at least read permission
             if not HasPermissionAnyMiddleware('repository.read',
                                               'repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         return True
     def _get_ip_addr(self, environ):
         return _get_ip_addr(environ)
-    def _check_ssl(self, environ, start_response):
     def _check_ssl(self, environ):
         """
         Checks the SSL check flag and returns False if SSL is not present
         and required True otherwise
         """
         org_proto = environ['wsgi._org_proto']
         #check if we have SSL required  ! if not it's a bad request !
         require_ssl = str2bool(Ui.get_by_key('push_ssl').ui_value)
         if require_ssl and org_proto == 'http':
             log.debug('proto is %s and SSL is required BAD REQUEST !'
                       % org_proto)
             return False
         if str2bool(Ui.get_by_key('push_ssl').ui_value):
             org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme'])
             if org_proto != 'https':
                 log.debug('proto is %s and SSL is required BAD REQUEST !'
                           % org_proto)
                 return False
         return True
     def _check_locking_state(self, environ, action, repo, user_id):
         """
         Checks locking on this repository, if locking is enabled and lock is
         present returns a tuple of make_lock, locked, locked_by.
         make_lock can have 3 states None (do nothing) True, make lock
         False release lock, This value is later propagated to hooks, which
         do the locking. Think about this as signals passed to hooks what to do.
         """
         locked = False  # defines that locked error should be thrown to user

kallithea/lib/middleware/simplegit.py

➞

Show inline comments

@@ @@ -57,25 +57,25 @@ def is_git(environ): @@
     isgit_path = GIT_PROTO_PAT.match(path_info)
     log.debug('pathinfo: %s detected as GIT %s' % (
         path_info, isgit_path is not None)
+    )
     return isgit_path
 class SimpleGit(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_git(environ):
             return self.application(environ, start_response)
-        if not self._check_ssl(environ, start_response):
         if not self._check_ssl(environ):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ip_addr = self._get_ip_addr(environ)
         username = None
         self._git_first_op = False
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True
         #======================================================================
         # EXTRACT REPOSITORY NAME FROM ENV
         #======================================================================
         try:

kallithea/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -62,25 +62,25 @@ def is_mercurial(environ): @@
     log.debug('pathinfo: %s detected as HG %s' % (
         path_info, ishg_path)
+    )
     return ishg_path
 class SimpleHg(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_mercurial(environ):
             return self.application(environ, start_response)
-        if not self._check_ssl(environ, start_response):
         if not self._check_ssl(environ):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ip_addr = self._get_ip_addr(environ)
         username = None
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True
         #======================================================================
         # EXTRACT REPOSITORY NAME FROM ENV
         #======================================================================
         try:
             repo_name = environ['REPO_NAME'] = self.__get_repository(environ)

0 comments (0 inline, 0 general)