Add a parameter to origin_referrer_check, to skip checking scheme

[asmanur]

Hello,

I am running a dream server under a lighttpd proxy. The lighttpd is listening on https to the outer world but communicates in http internally with the dream server. This confuses the ORC because it seens a request with a host 'https://host' but is a http server. I was wondering if we could add a parameter to origin_referrer_check to skip the check of the schemes?

Anyways, thanks for the wonderful work on dream.

[gstrauss]

@asmanur try adding this to your lighttpd.conf reverse-proxy config:

proxy.header += (
    "https-remap" => "enable",
    "map-host-request"  => ("-" => "-"),
    "map-host-response" => ("-" => "-")
)

https://wiki.lighttpd.net/mod_proxy

[aantron]

Thanks @asmanur for the report and @gstrauss for the suggestion! I'm looking for a bit of time to actually try this out and consider what's the best way to address it.

[richardhuxton]

I encountered the same issue with an nginx proxy terminating the tls for a dream backend.

Counter-intuitively while trying to get the headers to match I got this error:

Origin-Host mismatch: 'https://aaa.bbb.org.uk:8000' vs. 'https://aaa.bbb.org.uk:8000'

That was because the actual scheme in the Origin header isn't compared to the Host header but to Helpers.tls request which presumably is false because dream isn't handling the tls.

For anyone who comes across the same issue, the config for nginx needed to be:

proxy_set_header Host $http_host;
proxy_set_header Origin http://$http_host;

Personally, I think just a note in the e-json example would be enough to cover this issue. You could include the example config fragments - with apache/haproxy examples too that would cover most people I suspect.