On 8 February 2018 at 22:34, Kevin Hilman <khilman@baylibre.com> wrote:
Is there a way to make user logins to work whether you're connecting
over HTTP or HTTPS on the same instance?

I know that to get user logins to work without https, you have to add
this to /etc/lava-server/settings.conf:

        "CSRF_COOKIE_SECURE": false,
        "SESSION_COOKIE_SECURE": false,

But it would be nice if user logins would also work over https at the same time.

The use case for this is an internal LAVA instance that doesn't have
https so internal connections are all over http.  The same instance is
also available to the outside world via an nginx reverse proxy with
TLS termination, so connections from outside are over https.

Can it be made to work for both internal (http) and external (https)
connections?

This comes down to nginx, DNS and Django configuration. It's outside the scope of what LAVA can do itself. The Harston lab uses reverse proxy (with Apache) but all access to the instance is using the fully qualified domain name, not localhost. IIRC the lab internal network resolves that without needing to go out and back again. The only time we use localhost is for developer instances on our own laptops.
 
Django itself cannot be aware of the reverse proxy, so it has one configuration for all requests. I'd recommend that for sites with any external visibility, that should be https.

I would suggest that your lab is reconfigured so that localhost isn't used and that local requests for the instance get routed without going to external DNS. Then the settings to allow localhost logins can be reset to the defaults and everyone uses https, without using localhost, but the routing takes care of avoiding extraneous network traffic.


--