Bug #1728
projects.osmocom.org permits login over http, not https
Start date:
05/18/2016
Due date:
% Done:
0%
Spec Reference:
Description
I think this is not intentional, as it transmits credentials in the clear.
History
#1 Updated by zecke over 3 years ago
So you would like to have "Sign In" redirect to https?
#2 Updated by lynxis over 3 years ago
zecke wrote:
So you would like to have "Sign In" redirect to https?
why not redirecting everything to https://osmocom.org/?
http:// login is also possible on osmocom.org
#3 Updated by zecke almost 3 years ago
- Status changed from New to Closed
Added
if ($scheme = http) {
rewrite ^/login https://$server_name$request_uri? permanent;
}
I skipped /admin or /my.. because at that point you already sent your session cookie on http...
#4 Updated by zecke over 2 years ago
curl -v http://osmocom.org/login/ 2>&1 | grep Location < Location: https://projects.osmocom.org/login/
this caused issues with OpenID (and creating a new realm). Use $host instead of $server_name
