Kim Alvefur <zash@zash.se> [Sun, 21 Feb 2021 06:18:22 +0100] rev 11396
mod_bosh: Include warning if endpoint accessed insecurely (#1172)
This is to make it obvious if a misconfigured a proxy or the request
really is insecure.
Perhaps it should also check c2s_require_encryption?
Kim Alvefur <zash@zash.se> [Sun, 21 Feb 2021 06:17:40 +0100] rev 11395
mod_bosh: Use message template from mod_http_error
Looking Good!
And most importantly, consistent.
Kim Alvefur <zash@zash.se> [Sun, 21 Feb 2021 06:15:59 +0100] rev 11394
mod_http_errors: Add a highlighted warning to template
It looks sooooo good!
Meant to be used by e.g. mod_bosh to warn in case the request is
considered insecure.
Kim Alvefur <zash@zash.se> [Sun, 21 Feb 2021 06:13:19 +0100] rev 11393
mod_http_errors: Add way to reuse the error page template
module:fire_event("http-message", {title = "hello"; message = "world"})
Goal is to enable consistent messages from Prosody. Not necessarily
error messages, but warnings or just notices.
This does cause some drift in the purpose of mod_http_errors, but that's
okay.
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 14:55:38 +0100] rev 11392
mod_http_errors: Minify CSS
Because It looks too big in view source!
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 14:43:45 +0100] rev 11391
Merge 0.11->trunk
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 14:34:38 +0100] rev 11390
mod_http: Fix trusted proxies check (thanks buildbot)
is_trusted_proxy() is only in trunk, I dun goofed when I rebased
8603011e51fe from trunk.
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 10:41:04 +0100] rev 11389
mod_http: Optimize proxy IP check
No need to do a subnet match comparison to see if two IP addresses match
exactly.
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 10:05:30 +0100] rev 11388
mod_websocket: Inherit security status from http request
Allows requests considered secure becasue of a proxy header to carry
over to the client session.
mod_bosh does this too.
Kim Alvefur <zash@zash.se> [Thu, 18 Feb 2021 10:00:56 +0100] rev 11387
mod_http: Consider x-forwarded-proto from trusted proxies
Should be better than setting consider_{bosh,websocket}_secure as that
may end up causing actually insecure requests to be considered secure.
Doing it here, as with IP, should make this apply to all HTTP modules.