Fixing HTTPS in TurboGears 0.9a6
Fixing HTTPS in TurboGears 0.9a6
Mon, 05/15/2006 - 03:41 — Derek AndersonNote to those coming from Sam Johnston's blog
I wonder how much time it took him to find a blog post that he could use to cast our team in a negative light via my blog... Complaining about my changing a proxy configuration from 2 years ago seems a bit of a stretch, esp. since we released with the problem fixed. Ah well, I suppose if he had some positive comment about anything, I would just drop dead from shock.
Update: I tossed out my problematic lighttpd config, and moved back to apache. Two lines, and everything is fixed:
ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/I guess I should have read the FM.
The rest of this post is OBSOLETE!
Being the quintessential professional, I decided to upgrade TurboGears yesterday, on the eve of the release of two... TWO major projects. I am funny that way. Seriously, there were some issues with IE supporting the authentication system on the older version of TurboGears which I was using. This left me with two unpalatable options (the upgrade, or not supporting IE at all).
After the ugprade of course, all hell broke loose. While my authentication problems disappeared right away, previous methods for integrating TurboGears and Lighttpd ceased to function, and I was left with enterprise applications without SSL support, which is a non starter any way you look at it.
Time to put on the thinking cap. Follow along for the FIXAGE!
After some research, I discovered that the http:// method was hardcoded in one spot in CherryPy (right here in fact).
The fix ended up consisting of three parts. First, I added two new config settings in my dev.cfg file:
server.munge_ssl=True server.munge_ssl_port=24516
Hmmmm. What does Derek have in mind here?
Next up, I made a couple of teeny-tiny changes in baseurlfilter.py, which resides in /usr/lib/python2.4/site-packages/CherryPy-2.2.1-py2.4.egg/cherrypy/filters .
#Munge the protocol with SSL in the case that SSL is used...
method="http"
if cherrypy.config.get('server.munge_ssl',True):
method='https'
port=cherrypy.config.get('server.munge_ssl_port',443)
if port == "80":
defaultUrl = method+'://localhost'
else:
defaultUrl = method+'://localhost:%s' % port
#Done with the mungeing! That was WAY easy!
But you are not done yet! You have to replace every single instance of the raise HTTPRedirect call with the InternalRedirect call instead, without the internal turbogears.url call (kind of a problem if you need to use the internal authentication provider, but you could modify that too I suppose).
raise cherrypy.HTTPRedirect(turbogears.url('/'))
...becomes...
raise cherrypy.InternalRedirect('/')
Finally, I configured my lighttpd as shown in the TurboGears site, but with the following config file:
server.modules = (
"mod_rewrite",
"mod_redirect",
"mod_access",
"mod_setenv",
"mod_proxy",
"mod_accesslog" )
## a static document-root, for virtual-hosting take look at the
## server.virtual-* options
server.document-root = "/opt/enomalism/xenwebadmin/xenwebadmin/static"
## where to send error-messages to
server.errorlog = "/opt/enomalism/logs/error.log"
#### accesslog module
accesslog.filename = "/opt/enomalism/logs/access_log"
url.access-deny = ( "~", ".inc",".py",".pyc" )
## to help the rc.scripts
server.pid-file = "/opt/enomalism/lighttpd.pid"
debug.log-request-handling = "enable"
## change uid to (default: don't care)
server.username = "lighttpd"
## change uid to (default: don't care)
server.groupname = "lighttpd"
#### proxy module
## read proxy.txt for more info
proxy.server = ( "" => ( (
"host" => "127.0.0.1",
"port" => 24514
)
)
)
#I am using NAT to serve. Too many steps eh?
$SERVER["socket"]=="192.168.1.151:24516" {
ssl.pemfile="/etc/lighttpd/enomalism.pem"
ssl.engine="enable"
}
