commit a3a854aedfb356782dfebfa039ebbf3158cf7161
parent 6ca2a5cefe5e22340377a3dbb7c67512e51d61ba
Author: Sebastian <sebasjm@gmail.com>
Date: Fri, 1 Jul 2022 16:47:06 -0300
check X-Forwarded-Proto when constructing an URI, useful behind a reverse proxy
Diffstat:
5 files changed, 101 insertions(+), 13 deletions(-)
diff --git a/src/backend/taler-merchant-httpd_get-orders-ID.c b/src/backend/taler-merchant-httpd_get-orders-ID.c
@@ -377,6 +377,8 @@ TMH_make_order_status_url (struct MHD_Connection *con,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
/* Number of query parameters written so far */
@@ -388,6 +390,13 @@ TMH_make_order_status_url (struct MHD_Connection *con,
forwarded_host = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (con,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
uri_path = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
"X-Forwarded-Prefix");
@@ -406,12 +415,17 @@ TMH_make_order_status_url (struct MHD_Connection *con,
GNUNET_assert (NULL != instance_id);
GNUNET_assert (NULL != order_id);
- if (GNUNET_NO == TALER_mhd_is_https (con))
+ if (GNUNET_NO == TALER_mhd_is_https (con) &&
+ ! proxy_says_https)
+ {
GNUNET_buffer_write_str (&buf,
"http://");
+ }
else
+ {
GNUNET_buffer_write_str (&buf,
"https://");
+ }
GNUNET_buffer_write_str (&buf,
host);
if (NULL != uri_path)
diff --git a/src/backend/taler-merchant-httpd_get-tips-ID.c b/src/backend/taler-merchant-httpd_get-tips-ID.c
@@ -35,6 +35,8 @@ TMH_make_taler_tip_uri (struct MHD_Connection *con,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
@@ -45,6 +47,14 @@ TMH_make_taler_tip_uri (struct MHD_Connection *con,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (con,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
uri_path = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
"X-Forwarded-Prefix");
@@ -62,9 +72,13 @@ TMH_make_taler_tip_uri (struct MHD_Connection *con,
GNUNET_buffer_write_str (&buf,
"taler");
- if (GNUNET_NO == TALER_mhd_is_https (con))
+
+ if (GNUNET_NO == TALER_mhd_is_https (con) &&
+ ! proxy_says_https)
+ {
GNUNET_buffer_write_str (&buf,
"+http");
+ }
GNUNET_buffer_write_str (&buf,
"://tip/");
GNUNET_buffer_write_str (&buf,
@@ -97,6 +111,8 @@ TMH_make_tip_status_url (struct MHD_Connection *con,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
@@ -107,6 +123,13 @@ TMH_make_tip_status_url (struct MHD_Connection *con,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (con,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
uri_path = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
"X-Forwarded-Prefix");
@@ -122,12 +145,17 @@ TMH_make_tip_status_url (struct MHD_Connection *con,
GNUNET_assert (NULL != instance_id);
GNUNET_assert (NULL != tip_id);
- if (GNUNET_NO == TALER_mhd_is_https (con))
+ if (GNUNET_NO == TALER_mhd_is_https (con) &&
+ ! proxy_says_https)
+ {
GNUNET_buffer_write_str (&buf,
"http://");
+ }
else
+ {
GNUNET_buffer_write_str (&buf,
"https://");
+ }
GNUNET_buffer_write_str (&buf,
host);
if (NULL != uri_path)
diff --git a/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c b/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c
@@ -84,6 +84,8 @@ make_taler_refund_uri (struct MHD_Connection *connection,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
@@ -95,6 +97,13 @@ make_taler_refund_uri (struct MHD_Connection *connection,
forwarded_host = MHD_lookup_connection_value (connection,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (connection,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
uri_path = MHD_lookup_connection_value (connection,
MHD_HEADER_KIND,
"X-Forwarded-Prefix");
@@ -107,8 +116,13 @@ make_taler_refund_uri (struct MHD_Connection *connection,
return NULL;
}
GNUNET_buffer_write_str (&buf, "taler");
- if (GNUNET_NO == TALER_mhd_is_https (connection))
- GNUNET_buffer_write_str (&buf, "+http");
+
+ if (GNUNET_NO == TALER_mhd_is_https (connection) &&
+ ! proxy_says_https)
+ {
+ GNUNET_buffer_write_str (&buf,
+ "+http");
+ }
GNUNET_buffer_write_str (&buf, "://refund/");
GNUNET_buffer_write_str (&buf, host);
if (NULL != uri_path)
diff --git a/src/backend/taler-merchant-httpd_private-post-orders.c b/src/backend/taler-merchant-httpd_private-post-orders.c
@@ -116,19 +116,39 @@ make_merchant_base_url (struct MHD_Connection *connection,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
- if (GNUNET_YES == TALER_mhd_is_https (connection))
- GNUNET_buffer_write_str (&buf, "https://");
- else
- GNUNET_buffer_write_str (&buf, "http://");
host = MHD_lookup_connection_value (connection,
MHD_HEADER_KIND,
MHD_HTTP_HEADER_HOST);
forwarded_host = MHD_lookup_connection_value (connection,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (connection,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
+ uri_path = MHD_lookup_connection_value (connection,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Prefix");
+
+ if (GNUNET_NO == TALER_mhd_is_https (connection) &&
+ ! proxy_says_https)
+ {
+ GNUNET_buffer_write_str (&buf,
+ "http://");
+ }
+ else
+ {
+ GNUNET_buffer_write_str (&buf,
+ "https://");
+ }
if (NULL != forwarded_host)
{
GNUNET_buffer_write_str (&buf,
@@ -140,9 +160,6 @@ make_merchant_base_url (struct MHD_Connection *connection,
GNUNET_buffer_write_str (&buf,
host);
}
- uri_path = MHD_lookup_connection_value (connection,
- MHD_HEADER_KIND,
- "X-Forwarded-Prefix");
if (NULL != uri_path)
GNUNET_buffer_write_path (&buf, uri_path);
diff --git a/src/backend/taler-merchant-httpd_templating.c b/src/backend/taler-merchant-httpd_templating.c
@@ -121,6 +121,8 @@ make_static_url (struct MHD_Connection *con,
{
const char *host;
const char *forwarded_host;
+ const char *forwarded_proto;
+ bool proxy_says_https;
const char *uri_path;
struct GNUNET_Buffer buf = { 0 };
@@ -130,6 +132,14 @@ make_static_url (struct MHD_Connection *con,
forwarded_host = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
"X-Forwarded-Host");
+ forwarded_proto = MHD_lookup_connection_value (con,
+ MHD_HEADER_KIND,
+ "X-Forwarded-Proto");
+
+ proxy_says_https = ( (NULL != forwarded_proto) &&
+ (0 == strcmp ("https",
+ forwarded_proto)))
+
uri_path = MHD_lookup_connection_value (con,
MHD_HEADER_KIND,
@@ -145,12 +155,17 @@ make_static_url (struct MHD_Connection *con,
GNUNET_assert (NULL != instance_id);
- if (GNUNET_NO == TALER_mhd_is_https (con))
+ if (GNUNET_NO == TALER_mhd_is_https (con) &&
+ ! proxy_says_https)
+ {
GNUNET_buffer_write_str (&buf,
"http://");
+ }
else
+ {
GNUNET_buffer_write_str (&buf,
"https://");
+ }
GNUNET_buffer_write_str (&buf,
host);
if (NULL != uri_path)
