http://bugs.winehq.org/show_bug.cgi?id=58189
Bug ID: 58189 Summary: Bugzilla adds a HTTP redirect when using saved searches Product: WineHQ Bugzilla Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: bugzilla-unknown Assignee: wine-bugs@winehq.org Reporter: imwellcushtymelike@gmail.com CC: austinenglish@gmail.com Distribution: ---
Created attachment 78493 --> http://bugs.winehq.org/attachment.cgi?id=78493 Chrome security warning
Using any of the lists on the left side of the Bugzilla page (Task lists / Saved Searches / etc.) adds a HTTP redirect, which Chrome loudly (but rightly) complains about.
Cloudflare apparently responds with a HTTP 302 (Found) but gives a new location with HTTP instead of HTTPS. http://bugs.winehq.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW...
Clicking "Continue" in Chrome attempts to connect with HTTP just to be redirected again with a HTTP 307 (Temporary Redirect) back to HTTP, and on it goes. It looks like the login cookie might be sent in cleartext.
Somehow, I do eventually end up connecting via HTTPS, but Wireshark confirms that HTTP connections are being made, before being shut down by Chrome. My DNS logs show that Chrome does ask for the HTTPS entry in the record so *maybe* that's how it gets there... I really don't know.
I imagine other areas are affected, not just the lists.
http://bugs.winehq.org/show_bug.cgi?id=58189
--- Comment #1 from Ken Sharp imwellcushtymelike@gmail.com --- Created attachment 78494 --> http://bugs.winehq.org/attachment.cgi?id=78494 Chrome dev console
AFAIK Chrome won't give a simple text log, which would be much more useful than a screenshot.
http://bugs.winehq.org/show_bug.cgi?id=58189
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jnewman@codeweavers.com, | |julliard@winehq.org
http://bugs.winehq.org/show_bug.cgi?id=58189
--- Comment #2 from Jeremy Newman jnewman@codeweavers.com --- This is not what I get. My Chrome console shows "Status Codes: 200 OK" not "302 Found". So I'm not sure how you are seeing what you are seeing. There are no http URLs in any of the redirects. However, if I issue a curl request to the Bugs website, I do see a 302 page.
I did change the CloudFlare SSL mode. It was set to automatic, to detect the best SSL mode. But, just to see if it makes any difference I switched it to "Full (Strict)". We use an origin SSL cert between CloudFlare and our origin. This is generated by CloudFlare. All communication between CF<->Bugs.WineHQ.org should be forced to SSL mode.
Behind the scenes Anubis is http between Apache and the HTTPs Proxy. It goes like this:
CloudFlare HTTPS (CDN) <-> Apache HTTPS (Origin Proxy) <-> Anubis HTTP (localhost only) <-> Apache HTTP (localhost only) <-> Bugzilla Perl Website
So if there is an issue, it may be something with how Anubis does things.
-
WineHQ Bugzilla