Add "force_wsgi_environ" config option.

This is the nuclear option for when your reverse proxy setup doesn't place nicely with our request-signing thing - it causes the app to unilaterally clobber its WSGI environment with values from public_url.
2015-02-13 16:26:17 +11:00
parent 24dbda8f41
commit c4c0fa033a
2 changed files with 28 additions and 17 deletions
--- a/syncserver.ini
+++ b/syncserver.ini
@@ -27,8 +27,16 @@ public_url = http://localhost:5000/
 # Only request by existing accounts will be honoured.
 # allow_new_users = false

+# Set this to "true" to work around a mismatch between public_url and
+# the application URL as seen by python, which can happen in certain reverse-
+# proxy hosting setups.  It will overwrite the WSGI environ dict with the
+# details from public_url.  This could have security implications if e.g.
+# you tell the app that it's on HTTPS but it's really on HTTP, so it should
+# only be used as a last resort and after careful checking of server config.
+force_wsgi_environ = false
+
 # Uncomment and edit the following to use a local BrowserID verifier
-# rather than posing assertions to the mozilla-hosted verifier.
+# rather than posting assertions to the mozilla-hosted verifier.
 # Audiences should be set to your public_url without a trailing slash.
 #[browserid]
 #backend = tokenserver.verifiers.LocalVerifier