Add SSL offloading information

[rwaffen]

when installing a new hdm instance and having no users, one gets redirected to http to create a new user. but connection was initialized from https. we schould redirect to the same protocol as the initial reuqest

[oneiros]

This is actually what rails does by default, when generating URLs. It takes the protocol and hostname from the request.

Since the docker image does not support https by itself, I wonder if you somehow proxied that request somehow? In these cases, the originally requested URL, specifically the protocol, can get lost, as the request from the reverse proxy to the app is usually done via http.

To work around this, the reverse proxy can add HTTP headers with the original information that rails can evaluate. Here is an example for nginx:

proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;

Apart from that, rails also has a force_ssl configuration option, that can make sense in a production environment. When set to true, URLs are always generated with https as protocol. But I suspect this would not work well for hdm, which may be used in quite different setups, where sometimes it is OK to not have to use https.

[tuxmea]

SSL must be done by nginx in front of HDM. Needs documentation.

[rwaffen]

This is from a customer setup with a proxy F5 LB in front of plain docker HDM.

[tuxmea]

@oneiros : Question from customer: should we set config.force_ssl = true in Rails?

[oneiros]

@oneiros : Question from customer: should we set config.force_ssl = true in Rails?

As noted above (#107 (comment)), I am not sure this is desired. When force_ssl is set to true, all URLs will always be generated with https:// and HTTP requests will be permanently redirected to their HTTPS counterparts.

I firmly believe, we need to encourage the usage of secure connections in any kind of production environment. But I can also envision scenarios in which hdm is being evaluated in a local test setup or only used within the confines of an otherwise secure environment. Having to configure SSL in these cases seems unnecessary hard and raises the barrier of entry significantly.

Things would be different if the HDM container somehow had SSL support baked in, but I figure this might be hard to implement.

[tuxmea]

@oneiros Another information from the customer:

• local login works as expected, including SSL offloading at LB
• LDAP login switches protocol from https to http

[oneiros]

LDAP login switches protocol from https to http

Short answer: This only means the rails app still does not know that the original request used https://.

Long answer: There is actually a difference in the two authentication methods, but only for admin users. Local login as admin redirects to a relative path (

hdm/app/controllers/sessions_controller.rb

Line 19 in a99aa7c

redirect_to users_path, notice: "Logged in!"

) while login as a regular user (local or ldap) redirect to a full URL (

hdm/app/controllers/sessions_controller.rb

Line 21 in a99aa7c

redirect_to root_url, notice: "Logged in!"

).

We could of course change that, but then something else would break. The only real solution is to have the load balancer set the HTTP headers mentioned above.

[tuxmea]

This is not an issue with HDM, but (in this specific case) a LB issue. Closing.