-
-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixing Admin force SSL redirect, adding more options #1809
Conversation
@gimelfarb Thanks for taking the time to work on Ghost :) For the bugs, please can you ensure that you have documented the full reproduction steps, preferably in a bug issue, otherwise it is not possible for us to verify the bugs. For the new options / features, it's up to you to make a case for them and sell the idea. It seems you've made significant changes to how the handling of SSL works here, including removing everything to do with the X-Forwarded-Proto header, without explaining why. Additionally, your change breaks the build, and doesn't add or update any tests which I would expect you would need to do. Sorry to add such a big list of things to do, but without a little more explanation on your side I am not able to merge this. |
I think that this PR is not going to work :-(. With that in mind, please ensure that your issues follow our contribution guidelines (https://github.com/TryGhost/Ghost/blob/master/CONTRIBUTING.md#reporting-an-issue), open an issue and get a discussion started :-). The enhancements you are proposing are in my opinion worth adding. |
Fixing SSL redirect handling behind a proxy (`sever.enable('trust proxy')`). Also fixing handling of Admin theme resources, which should be served via HTTP when requested. Adding more options: 1. Send a non-301 response - for example, 401 Unauthorized 2. Configure a different hostname for SSL (e.g. 'https://secure.myblog.com')
Hi guys, thanks for the "welcome" ;) Alright, firstly my apologies for barging in with big changes unannounced like this. You are right, I should have created an issue and bug ticket first, so that it can be referenced. My bad for not reading the contribution guidelines carefully. I just rushed in the PR late at night, and didn't even see that Travis build broke (which was a JSLint code styling validation failure). I am pretty new to the open source contribution thing, so please bear with me. All the issues I am fixing in my fork of Ghost are related directly to me trying to host it on Heroku for myself. So I do make sure it works. It is a pretty long to-do list, and I will endeavor to tick those off. Probably too long to do in one evening though. I will raise a separate issue that can be referenced here - there are 2 really, one is a bug and the other is enhancement. I have also reviewed the code again following your comments, and I do agree about not being careful with Let me just outline here the changes to provide more background. As I said, I'll create Issues for these as well, like you requested.
And that's it! I am interested to know what you think. I will raise those Issues in the meantime to reference here. |
I appreciate the improvements you have implemented for SSL support. And we would like to add the bugfixes to the 0.4-maintenance release (aka 0.4.1). All changes are in one commit right now and it would simplify merging for us, if you could split up the bugfixes (#1836 and #1837) and open new PRs against the #1838 is a new feature and should go into the next regular release of Ghost. After some research I think that a proper status code for denying access without SSL would be It would be great, if you have a moment to go over the PR and split it up! Thank you :-). |
Ok sure I'll split out the bug fixes to be on top of Agree with you about the 403 code being better. Now the I think your point is that this can be rolled into a larger feature of enabling a second (SSL) domain for the entire app. Fair call - there could be a scenario of Correct me if I got it wrong. |
I'll try to structure what I wrote above. Adding a second domain adds some complexity we should think about. At the moment we have two configuration options to force the use of SSL.
If the scheme of
The
Now the tricky part. I would suggest using
Have I forgotten anything? |
Question for clarity: Given the changes that SSL will work without a proxy, what will happen to all the people who have configured their headers on their proxy? Will SSL continue to work for them, or will they need to make further changes? Also, if you do want to get these bug fixes into 0.4.1 as we have suggested, the closing date for PRs is tomorrow (27th Jan). |
@ErisDS It should work with and without the headers on the proxy. |
Submitted PRs #2047 and #2048 to close #1836 and #1837 respectively. They are based on the 0.4-maintenance branch as a base. @ErisDS - the @sebgie - the structure you propose certainly makes sense, and does achieve the same goal I set out, plus a bit more. I need to find all places in code that use |
I should read documentation before commenting :-). @gimelfarb is right, 'trust proxy' will still need the proxy headers. From Expressjs docs:
Adding |
Cool yeah, lets close it and start afresh on getting this sorted out 👍 |
Yeah absolutely. I am hoping to have some time this weekend to finally look at and close #1838. |
👍 thanks :-) |
Fixing SSL redirect handling behind a proxy (
sever.enable('trust proxy')
). Also fixing handling of Admin theme resources, which should beserved via HTTP when requested.
Adding more options:
Fixing #1836, #1837. Implementing #1838.