[fix] Force back_url to use HTTPS (#93)

This commit is contained in:
Alexandre Aubin 2017-10-12 22:06:30 +02:00 committed by GitHub
parent 1bf64408c9
commit d38d5e3d29

View file

@ -391,6 +391,15 @@ end
-- The default is to protect every URL by default. -- The default is to protect every URL by default.
-- --
hlp.flash("info", hlp.t("please_login")) -- Only display this if HTTPS. For HTTP, we can't know if the user really is
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string() -- logged in or not, because the cookie is available only in HTTP...
if ngx.var.scheme == "https" then
hlp.flash("info", hlp.t("please_login"))
end
-- Force the scheme to HTTPS. This is to avoid an issue with redirection loop
-- when trying to access http://main.domain.tld/ (SSOwat finds that user aint
-- logged in, therefore redirects to SSO, which redirects to the back_url, which
-- redirect to SSO, ..)
local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url)) return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))