2

I have a server behind a load balancer. The LB translates out of https into http so the web server only sees http.

I have a perl script that uses CGI standard to generate an input form using 

start_form( -action=>url())

Right now, the url in the HTML points to the http version of the url, not the https. What is the cleanest way to get it to always use https (if https is being used by the user)?

I've tried "-rewrite" as both 0 and 1 and that didn't make the difference.

Improve this question
1
  • Please see my blog post and the responses for better options for creating CGI scripts than CGI.pm, if it is a case where you have such options. But to begin with, your load balancer should ideally be passing the header X-Forwarded-Proto: https for any of these solutions to use. Commented Jan 14, 2019 at 22:40

1 Answer 1

Reset to default
2

At least according to the documentation and the code of CGI.pm, url() and url( full => 1) should both return https:// if your CGI script was served from an https:// URL. If the load balancer strips https and does not provide the appropriate headers, you can set $ENV{HTTPS} to ON to fake that in your script yourself:

#!perl
use strict;
use warnings;

use CGI qw(url);

$ENV{HTTPS} = 'ON';
print url();

See also

CGI

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I hope that it does not automatically use such headers, as this would be a possible vulnerability if the client can tell the code it's using a different protocol when there's no proxy setting the header! This is why you have to enable it with MOJO_REVERSE_PROXY=1 or the hypnotoad proxy option in Mojolicious.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.