Bug 204374 - Let Bugzilla know when it's being accessed via SSL
Summary: Let Bugzilla know when it's being accessed via SSL
Status: Closed FIXED
Alias: None
Product: Services
Classification: Unclassified
Component: Bug Tracker (show other bugs)
Version: unspecified
Hardware: Any Any
: --- Affects Many People
Assignee: Peter Wemm
URL:
Keywords: feature
Depends on:
Blocks: 206426 192916 200004
  Show dependency treegraph
 
Reported: 2015-11-08 10:36 UTC by Kubilay Kocak
Modified: 2016-02-06 13:20 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kubilay Kocak freebsd_committer freebsd_triage 2015-11-08 10:36:16 UTC
It appears that on 'attachment edit ' pages to the following (non-HTTPS) host is being returned by requests like: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=<attachmentid>:

302 -> Location: http://bz-attachments.freebsd.org/attachment.cgi?id=<attachmentid>

This protocol (http/https) mismatch causes a warning error in browsers to alert the user of mixed-(security)-content.

The current Bugzilla setting value for "attachment_base" (Attachments section) is

http://bz-attachments.freebsd.org/

Changing http to https in the above setting changes the Location: URL in the response above, BUT also causes an infinite redirect loop.

We obviously want:

* All URL's/media to be served under HTTPS
* Not infinite redirect loops

It would also be nice/good to enable the "ssl_redirect" setting in "Required Settings". Description of setting as follows:

When this is enabled, FreeBSD Bugzilla will ensure that every page is accessed over SSL, by redirecting any plain HTTP requests to HTTPS using the sslbase parameter. Also, when this is enabled, FreeBSD Bugzilla will send out links using sslbase in emails instead of urlbase. 

Currently urlbase and sslbase have identical values.
Comment 1 Peter Wemm freebsd_committer freebsd_triage 2016-01-23 19:15:16 UTC
The problem was that bugzilla believes it is being accessed via http, so it generates http-relative urls.  If you set the attachments prefix to https:, it goes into an infinite loop.

For the wiki, I added this to the apache virtual config:
SetEnv HTTPS on

I've done the same to bugzilla and changed the attachment base.  I believe it is working now.

Changes:
Admin->Attachments->attachment_base  changed from http to https

apache config:
      # Frontend forces https, let the backend know this so it generates https links.
      SetEnv HTTPS on

I tested this URL to check for no redirect loop:

https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165864
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-01-23 19:33:39 UTC
(In reply to Peter Wemm from comment #1)

Confirming that the URL loads fine after a single redirect, thank you Peter.

What is the thing that sees the HTTPS environment variable and modifies its output accordingly? Is it a bugzilla setting, a perl module thing, or just a standard CGI mechanic?

Could you please also make the same changes to our bugzilla test instance so that is remains in configuration sync

I'm re-shuffling related/dependent issue summaries since you responded/resolve on this issue.
Comment 3 Peter Wemm freebsd_committer freebsd_triage 2016-01-24 06:24:06 UTC
It's a CGI mechanic.  Normally apache's mod_ssl would set this implicitly.  Since mod_ssl isn't being used here and there's a separate front end, the setenv method appears to be sufficient.

Yes, the same change was made on the test environment.