[PATCH] SPDY: set $scheme from scheme request header

Valentin V. Bartenev vbart at nginx.com
Wed Jan 29 22:36:59 UTC 2014


On Wednesday 29 January 2014 23:06:40 Ragnar Rova wrote:
> # HG changeset patch
> # User Ragnar Rova <ragnar.rova at gmail.com>
> # Date 1391033075 -3600
> #      Wed Jan 29 23:04:35 2014 +0100
> # Node ID 6654eae26c8b2a718e5ad116650faf37f7be7aa9
> # Parent  01e2a5bcdd8f65f4f7bcb23ac35911da08e5945f
> SPDY: set $scheme from scheme request header.
> 
> $scheme variable is always "https" when using spdy, existing code
> just sets scheme to https based on if we are on a ssl connection.

Yes, and it is intentionally.

> In spdy, there is a scheme header which should be used.

There is nothing special about spdy, the scheme also can be passed using 
request line in plain http or https, and nginx ignores it too.

> Chrome uses http:// urls when establishing connections to sites using the
> Alternate-Protocol header. If you want some locations to be visible
> to the user as https, you can use $scheme in a http to https
> redirect rule.

You can use it without this change.  But the patch converts $scheme from
a configuration restricted variable into an untrusted one (which can contain 
arbitrary value sent by client).

  wbr, Valentin V. Bartenev



More information about the nginx-devel mailing list