[PATCH] Mail: send starttls flag value to auth script

Maxim Dounin mdounin at mdounin.ru
Mon Mar 2 14:56:55 UTC 2015


On Mon, Mar 02, 2015 at 03:32:03PM +0100, Michael Kliewe wrote:

> Hi Maxim,
> On Mar 2, 2015, at 3:14 PM, Maxim Dounin wrote:
> > Hello!
> > 
> > On Mon, Mar 02, 2015 at 01:12:44PM +0100, Michael Kliewe 
> > wrote:
> > 
> >> with your changes there is a problem:
> >> nginx now just sends the header if the connection is 
> >> encrypted.  If the connection is not encrypted, then there is 
> >> no header sent to the auth script.
> >> In the auth script I cannot distinguish between "user did not 
> >> use encryption" and "nginx doesn't have the feature" (because 
> >> of mixed nginx versions).
> >> With the original version of the patch this was possible.
> > 
> > Try updating all your nginx instances before using the header 
> > for something limiting, it is expected to resolve your 
> > problem.
> > 
> > Either way, the only safe thing to do if "nginx doesn't have 
> > the feature" is to assume there is no SSL if SSL matters.  And 
> > that's what current behaviour encourages.
> You are kind of right, but currently I'm distinguishing between 
> "encrypted", "not-encrypted" and "unknown", because we have 
> different versions of nginx in different setups. I cannot update 
> all nginx versions in parallel in all setups. That's why your 
> tip does not help me ;-/
> I need to distinguish between "not-encrypted" and "unknown", 
> because I want to warn all users still using not-encrypted 
> connections. With your patch I cannot distinguish between them, 
> and would send false warnings...

So switch off warnings till the update is complete.  That's an 
easy way to go.

Alternatively, you may use the "auth_http_header" directive
(http://nginx.org/r/auth_http_header) to distinguish between 
various installations.

> Would it be complicated to send "Auth-SSL: off" in case there 
> was no encryption? It's just one "else" more, and solves all 
> problems.

You are trying to solve your particular deployment problem by 
introducing the flag which will be here for all users forever.  
This doesn't looks like a good solution to me.

Maxim Dounin

More information about the nginx-devel mailing list