[PATCH] Mail: send starttls flag value to auth script
mdounin at mdounin.ru
Mon Mar 2 14:56:55 UTC 2015
On Mon, Mar 02, 2015 at 03:32:03PM +0100, Michael Kliewe wrote:
> Hi Maxim,
> On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote:
> > Hello!
> > On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe
> > wrote:
> >> with your changes there is a problem:
> >> nginx now just sends the header if the connection is
> >> encrypted. If the connection is not encrypted, then there is
> >> no header sent to the auth script.
> >> In the auth script I cannot distinguish between "user did not
> >> use encryption" and "nginx doesn't have the feature" (because
> >> of mixed nginx versions).
> >> With the original version of the patch this was possible.
> > Try updating all your nginx instances before using the header
> > for something limiting, it is expected to resolve your
> > problem.
> > Either way, the only safe thing to do if "nginx doesn't have
> > the feature" is to assume there is no SSL if SSL matters. And
> > that's what current behaviour encourages.
> You are kind of right, but currently I'm distinguishing between
> "encrypted", "not-encrypted" and "unknown", because we have
> different versions of nginx in different setups. I cannot update
> all nginx versions in parallel in all setups. That's why your
> tip does not help me ;-/
> I need to distinguish between "not-encrypted" and "unknown",
> because I want to warn all users still using not-encrypted
> connections. With your patch I cannot distinguish between them,
> and would send false warnings...
So switch off warnings till the update is complete. That's an
easy way to go.
Alternatively, you may use the "auth_http_header" directive
(http://nginx.org/r/auth_http_header) to distinguish between
> Would it be complicated to send "Auth-SSL: off" in case there
> was no encryption? It's just one "else" more, and solves all
You are trying to solve your particular deployment problem by
introducing the flag which will be here for all users forever.
This doesn't looks like a good solution to me.
More information about the nginx-devel