Add a parameter to origin_referrer_check, to skip checking scheme
asmanur opened this issue · comments
Hello,
I am running a dream server under a lighttpd proxy. The lighttpd is listening on https to the outer world but communicates in http internally with the dream server. This confuses the ORC because it seens a request with a host 'https://host' but is a http server. I was wondering if we could add a parameter to origin_referrer_check to skip the check of the schemes?
Anyways, thanks for the wonderful work on dream.
@asmanur try adding this to your lighttpd.conf reverse-proxy config:
proxy.header += (
"https-remap" => "enable",
"map-host-request" => ("-" => "-"),
"map-host-response" => ("-" => "-")
)
I encountered the same issue with an nginx proxy terminating the tls for a dream backend.
Counter-intuitively while trying to get the headers to match I got this error:
Origin-Host mismatch: 'https://aaa.bbb.org.uk:8000' vs. 'https://aaa.bbb.org.uk:8000'
That was because the actual scheme in the Origin header isn't compared to the Host header but to Helpers.tls request
which presumably is false because dream isn't handling the tls.
For anyone who comes across the same issue, the config for nginx needed to be:
proxy_set_header Host $http_host;
proxy_set_header Origin http://$http_host;
Personally, I think just a note in the e-json
example would be enough to cover this issue. You could include the example config fragments - with apache/haproxy examples too that would cover most people I suspect.