Bug 204374

Summary: Let Bugzilla know when it's being accessed via SSL
Product: Services Reporter: Kubilay Kocak <koobs>
Component: Bug TrackerAssignee: Peter Wemm <peter>
Status: Closed FIXED    
Severity: Affects Many People CC: bugmeister, clusteradm
Priority: --- Keywords: feature
Version: unspecified   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206426
Bug Depends on:    
Bug Blocks: 206426, 192916, 200004    

Description Kubilay Kocak freebsd_committer freebsd_triage 2015-11-08 10:36:16 UTC 
It appears that on 'attachment edit ' pages to the following (non-HTTPS) host is being returned by requests like: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=<attachmentid>:

302 -> Location: http://bz-attachments.freebsd.org/attachment.cgi?id=<attachmentid>

This protocol (http/https) mismatch causes a warning error in browsers to alert the user of mixed-(security)-content.

The current Bugzilla setting value for "attachment_base" (Attachments section) is

http://bz-attachments.freebsd.org/

Changing http to https in the above setting changes the Location: URL in the response above, BUT also causes an infinite redirect loop.

We obviously want:

* All URL's/media to be served under HTTPS
* Not infinite redirect loops

It would also be nice/good to enable the "ssl_redirect" setting in "Required Settings". Description of setting as follows:

When this is enabled, FreeBSD Bugzilla will ensure that every page is accessed over SSL, by redirecting any plain HTTP requests to HTTPS using the sslbase parameter. Also, when this is enabled, FreeBSD Bugzilla will send out links using sslbase in emails instead of urlbase. 

Currently urlbase and sslbase have identical values.
Comment 1 Peter Wemm freebsd_committer freebsd_triage 2016-01-23 19:15:16 UTC 
The problem was that bugzilla believes it is being accessed via http, so it generates http-relative urls.  If you set the attachments prefix to https:, it goes into an infinite loop.

For the wiki, I added this to the apache virtual config:
SetEnv HTTPS on

I've done the same to bugzilla and changed the attachment base.  I believe it is working now.

Changes:
Admin->Attachments->attachment_base  changed from http to https

apache config:
      # Frontend forces https, let the backend know this so it generates https links.
      SetEnv HTTPS on

I tested this URL to check for no redirect loop:

https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165864
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-01-23 19:33:39 UTC 
(In reply to Peter Wemm from comment #1)

Confirming that the URL loads fine after a single redirect, thank you Peter.

What is the thing that sees the HTTPS environment variable and modifies its output accordingly? Is it a bugzilla setting, a perl module thing, or just a standard CGI mechanic?

Could you please also make the same changes to our bugzilla test instance so that is remains in configuration sync

I'm re-shuffling related/dependent issue summaries since you responded/resolve on this issue.
Comment 3 Peter Wemm freebsd_committer freebsd_triage 2016-01-24 06:24:06 UTC 
It's a CGI mechanic.  Normally apache's mod_ssl would set this implicitly.  Since mod_ssl isn't being used here and there's a separate front end, the setenv method appears to be sufficient.

Yes, the same change was made on the test environment.