Is there a way to make user logins to work whether you're connecting over HTTP or HTTPS on the same instance?
I know that to get user logins to work without https, you have to add this to /etc/lava-server/settings.conf:
"CSRF_COOKIE_SECURE": false, "SESSION_COOKIE_SECURE": false,
But it would be nice if user logins would also work over https at the same time.
The use case for this is an internal LAVA instance that doesn't have https so internal connections are all over http. The same instance is also available to the outside world via an nginx reverse proxy with TLS termination, so connections from outside are over https.
Can it be made to work for both internal (http) and external (https) connections?
Thanks,
Kevin
On 8 February 2018 at 22:34, Kevin Hilman khilman@baylibre.com wrote:
Is there a way to make user logins to work whether you're connecting over HTTP or HTTPS on the same instance?
I know that to get user logins to work without https, you have to add this to /etc/lava-server/settings.conf:
"CSRF_COOKIE_SECURE": false, "SESSION_COOKIE_SECURE": false,
But it would be nice if user logins would also work over https at the same time.
The use case for this is an internal LAVA instance that doesn't have https so internal connections are all over http. The same instance is also available to the outside world via an nginx reverse proxy with TLS termination, so connections from outside are over https.
Can it be made to work for both internal (http) and external (https) connections?
This comes down to nginx, DNS and Django configuration. It's outside the scope of what LAVA can do itself. The Harston lab uses reverse proxy (with Apache) but all access to the instance is using the fully qualified domain name, not localhost. IIRC the lab internal network resolves that without needing to go out and back again. The only time we use localhost is for developer instances on our own laptops.
Django itself cannot be aware of the reverse proxy, so it has one configuration for all requests. I'd recommend that for sites with any external visibility, that should be https.
I would suggest that your lab is reconfigured so that localhost isn't used and that local requests for the instance get routed without going to external DNS. Then the settings to allow localhost logins can be reset to the defaults and everyone uses https, without using localhost, but the routing takes care of avoiding extraneous network traffic.