prosody
98b7ae7064b2
plugins/mod_http.lua
Software / code / prosody
Comparison
plugins/mod_http.lua @ 11383:98b7ae7064b2
mod_http: Consider x-forwarded-proto from trusted proxies
Should be better than setting consider_{bosh,websocket}_secure as that
may end up causing actually insecure requests to be considered secure.
Doing it here, as with IP, should make this apply to all HTTP modules.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 18 Feb 2021 10:00:56 +0100 |
| parent | 11382:a0477656258c |
| child | 11385:c81b6b8c6b19 |
comparison
equal
deleted
inserted
replaced
| 11382:a0477656258c | 11383:98b7ae7064b2 |
|---|---|
| 257 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) | 257 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) |
| 258 local request = event_data.request; | 258 local request = event_data.request; |
| 259 if request and is_trusted_proxy(request.conn:ip()) then | 259 if request and is_trusted_proxy(request.conn:ip()) then |
| 260 -- Not included in eg http-error events | 260 -- Not included in eg http-error events |
| 261 request.ip = get_ip_from_request(request); | 261 request.ip = get_ip_from_request(request); |
| 262 | |
| 263 if not request.secure and request.headers.x_forwarded_proto == "https" then | |
| 264 request.secure = true; | |
| 265 end | |
| 262 end | 266 end |
| 263 return handlers(event_name, event_data); | 267 return handlers(event_name, event_data); |
| 264 end); | 268 end); |
| 265 | 269 |
| 266 module:provides("net", { | 270 module:provides("net", { |
