From d6d966649c2f7e14986dbf2911897db0a3cdfe72 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Oct 2017 00:44:19 +0200 Subject: [PATCH] [fix] Force back_url to use HTTPS --- access.lua | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/access.lua b/access.lua index 0967eca..8148874 100644 --- a/access.lua +++ b/access.lua @@ -391,6 +391,15 @@ end -- The default is to protect every URL by default. -- -hlp.flash("info", hlp.t("please_login")) -local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string() +-- Only display this if HTTPS. For HTTP, we can't know if the user really is +-- logged in or not, because the cookie is available only in HTTP... +if ngx.var.scheme == "https" then + hlp.flash("info", hlp.t("please_login")) +end + +-- Force the scheme to HTTPS. This is to avoid an issue with redirection loop +-- when trying to access http://main.domain.tld/ (SSOwat finds that user aint +-- logged in, therefore redirects to SSO, which redirects to the back_url, which +-- redirect to SSO, ..) +local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string() return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))