Comments on: Checking for SSL behind a load balancer http://www.ghidinelli.com/2010/12/29/checking-for-ssl-behind-a-load-balancer Thu, 01 Jun 2017 18:51:00 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Kurt Bonnet http://www.ghidinelli.com/2010/12/29/checking-for-ssl-behind-a-load-balancer/comment-page-1#comment-61505 Kurt Bonnet Fri, 31 Dec 2010 06:06:50 +0000 http://www.ghidinelli.com/?p=1191#comment-61505 @Brian - I'm not sure about SetEnv, but according to the documentation for mod_headers if someone were to spoof the isSsl request header, and you specified a value for the isSsl header (that was spoofed) in your Apache config using: RequestHeader set isSsl 1 the "set" command will replace any previously existing header with that name (isSsl) and apply the new value to it (from the config file), thus over-riding any spoofed values. I haven't tested this out explicitly, but I'm pretty sure it works as stated. Apache mod_headers docs: http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader @Brian – I’m not sure about SetEnv, but according to the documentation for mod_headers if someone were to spoof the isSsl request header, and you specified a value for the isSsl header (that was spoofed) in your Apache config using:

RequestHeader set isSsl 1

the “set” command will replace any previously existing header with that name (isSsl) and apply the new value to it (from the config file), thus over-riding any spoofed values.

I haven’t tested this out explicitly, but I’m pretty sure it works as stated.

Apache mod_headers docs:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader

]]> By: brian http://www.ghidinelli.com/2010/12/29/checking-for-ssl-behind-a-load-balancer/comment-page-1#comment-61495 brian Thu, 30 Dec 2010 20:23:39 +0000 http://www.ghidinelli.com/?p=1191#comment-61495 @Kurt - thanks, that's another great use of the Apache modules to provide assistance to CF. I have often struggled with how to have a cluster of identically configured (from a CF perspective) machines but also not run the same scheduled tasks on every box. Your header example above made me think that or the setenv approach might be a good way of doing it: SetEnv SCHEDULED_TASKS_PERMITTED 1 The only problem with both the Env and the Header is that it can be spoofed by the user unless you delete it first using mod_rewrite, correct? @Kurt – thanks, that’s another great use of the Apache modules to provide assistance to CF. I have often struggled with how to have a cluster of identically configured (from a CF perspective) machines but also not run the same scheduled tasks on every box. Your header example above made me think that or the setenv approach might be a good way of doing it:

SetEnv SCHEDULED_TASKS_PERMITTED 1

The only problem with both the Env and the Header is that it can be spoofed by the user unless you delete it first using mod_rewrite, correct?

]]> By: Kurt Bonnet http://www.ghidinelli.com/2010/12/29/checking-for-ssl-behind-a-load-balancer/comment-page-1#comment-61494 Kurt Bonnet Thu, 30 Dec 2010 19:08:27 +0000 http://www.ghidinelli.com/?p=1191#comment-61494 Great post. Just wanted to post another technique I've used before for doing this. Much like your SetEnv in Apache, you can use the mod_headers module and set a request header and read it in from CF. i.e. Apache Config: RequestHeader set isSsl 1 Check in CF (In my Application.cfm/cfc): headers = getHttpRequestData().headers; request.a.isSslRequest = 0; if(structKeyExists(headers, "isSsl")) { request.a.isSslRequest = val(headers.isSsl); } ... if( NOT request.a.isSslRequest ) { redirect to secure location... } I've also used this technique to help determine which actual OS/app instance installation my app is running within. In some of my apps I need to ensure scripts are only allowed to run on a particular OS/app installation so I'll do something like: RequestHeader set AppInstance "WS1" And then the "WS1" value/code corresponds to a field in my "app_servers" database table which has varying permissions/configuration values for each of my app server instances. This has made it easy to deal with a single code base that operates across multiple servers that are configured slightly different from one another and that have slight behavioral differences. Hope that makes sense. Congrats on your recent racing win. Great post. Just wanted to post another technique I’ve used before for doing this. Much like your SetEnv in Apache, you can use the mod_headers module and set a request header and read it in from CF.

i.e.
Apache Config:
RequestHeader set isSsl 1

Check in CF (In my Application.cfm/cfc):
headers = getHttpRequestData().headers;
request.a.isSslRequest = 0;
if(structKeyExists(headers, “isSsl”)) {
request.a.isSslRequest = val(headers.isSsl);
}

if( NOT request.a.isSslRequest ) {
redirect to secure location…
}

I’ve also used this technique to help determine which actual OS/app instance installation my app is running within. In some of my apps I need to ensure scripts are only allowed to run on a particular OS/app installation so I’ll do something like:

RequestHeader set AppInstance “WS1″

And then the “WS1″ value/code corresponds to a field in my “app_servers” database table which has varying permissions/configuration values for each of my app server instances. This has made it easy to deal with a single code base that operates across multiple servers that are configured slightly different from one another and that have slight behavioral differences. Hope that makes sense.

Congrats on your recent racing win.

]]> By: brian http://www.ghidinelli.com/2010/12/29/checking-for-ssl-behind-a-load-balancer/comment-page-1#comment-61484 brian Thu, 30 Dec 2010 03:29:36 +0000 http://www.ghidinelli.com/?p=1191#comment-61484 If you wanted to provide maximum type safety, I'd recommend using the following: if (isBoolean(cgi.server_port_secure) AND cgi.server_port_secure) OR (isBoolean(cgi.bigipssl) AND cgi.bigipssl) If you wanted to provide maximum type safety, I’d recommend using the following:

if (isBoolean(cgi.server_port_secure) AND cgi.server_port_secure) OR (isBoolean(cgi.bigipssl) AND cgi.bigipssl)

]]>