| noonedeadpunk | > django docs say this should be stripped from incoming requests at the lb, added only for incoming requests at the lb which were https | 10:40 |
|---|---|---|
| noonedeadpunk | I _think_ we're doing that? | 10:40 |
| noonedeadpunk | just LB does redirect to https | 10:41 |
| noonedeadpunk | though, I guess that it might be easier for us not to handle logic for SECURE_PROXY_SSL_HEADER... | 10:41 |
| noonedeadpunk | yeah, so I'm also kind of confused about the chain we have... | 10:42 |
| noonedeadpunk | and kinda... not sure how to sort that except start debugging what django does recieve in each case | 10:42 |
| noonedeadpunk | as these headers should be used only when _all_ conditions are met... otherwise left as Nne | 10:43 |
| jrosser | noonedeadpunk: we maybe could state that it’s not supported to visit the horizon backend with a browser | 12:02 |
| jrosser | that would start to reduce the complexity as we would have haproxy vip as the entry point always, for internal and external | 12:03 |
| jrosser | it feels like there is still code in the horizon role to support ssl termination at Apache and clients using that directly | 12:06 |
| jrosser | we could start by removing that and relying on haproxy to insert the needed headers | 12:06 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!