mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-25 20:03:12 +03:00
Merge pull request #1714 from sebgie/issue#1680
This commit is contained in:
commit
b80054c4e4
@ -163,9 +163,21 @@ function redirectToSignup(req, res, next) {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkSSL helper
|
function isSSLrequired(isAdmin) {
|
||||||
function redirectSSL(req, res, next) {
|
var forceSSL = url.parse(config().url).protocol === 'https:' ? true : false,
|
||||||
// Check if X-Forarded-Proto headers are sent, if they are check for https. If they are not assume true to avoid infinite redirect loop.
|
forceAdminSSL = (isAdmin && config().forceAdminSSL);
|
||||||
|
if (forceSSL || forceAdminSSL) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check to see if we should use SSL
|
||||||
|
// and redirect if needed
|
||||||
|
function checkSSL(req, res, next) {
|
||||||
|
if (isSSLrequired(res.isAdmin)) {
|
||||||
|
// Check if X-Forarded-Proto headers are sent, if they are check for https.
|
||||||
|
// If they are not assume true to avoid infinite redirect loop.
|
||||||
// If the X-Forwarded-Proto header is missing and Express cannot automatically sense HTTPS the redirect will not be made.
|
// If the X-Forwarded-Proto header is missing and Express cannot automatically sense HTTPS the redirect will not be made.
|
||||||
var httpsHeader = req.header('X-Forwarded-Proto') !== undefined ? req.header('X-Forwarded-Proto').toLowerCase() === 'https' ? true : false : true;
|
var httpsHeader = req.header('X-Forwarded-Proto') !== undefined ? req.header('X-Forwarded-Proto').toLowerCase() === 'https' ? true : false : true;
|
||||||
if (!req.secure && !httpsHeader) {
|
if (!req.secure && !httpsHeader) {
|
||||||
@ -176,24 +188,16 @@ function redirectSSL(req, res, next) {
|
|||||||
query: req.query
|
query: req.query
|
||||||
}));
|
}));
|
||||||
}
|
}
|
||||||
next();
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check to see if we should
|
|
||||||
function checkSSL(req, res, next) {
|
|
||||||
var forceSSL = url.parse(config().url).protocol === 'https:' ? true : false,
|
|
||||||
forceAdminSSL = (res.isAdmin && config().forceAdminSSL);
|
|
||||||
|
|
||||||
if (forceSSL || forceAdminSSL) {
|
|
||||||
return redirectSSL(req, res, next);
|
|
||||||
}
|
}
|
||||||
next();
|
next();
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = function (server, dbHash) {
|
module.exports = function (server, dbHash) {
|
||||||
var oneYear = 31536000000,
|
var oneHour = 60 * 60 * 1000,
|
||||||
|
oneYear = 365 * 24 * oneHour,
|
||||||
root = config.paths().webroot,
|
root = config.paths().webroot,
|
||||||
corePath = config.paths().corePath;
|
corePath = config.paths().corePath,
|
||||||
|
cookie;
|
||||||
|
|
||||||
// Cache express server instance
|
// Cache express server instance
|
||||||
expressServer = server;
|
expressServer = server;
|
||||||
@ -224,7 +228,7 @@ module.exports = function (server, dbHash) {
|
|||||||
expressServer.use(manageAdminAndTheme);
|
expressServer.use(manageAdminAndTheme);
|
||||||
|
|
||||||
// Force SSL
|
// Force SSL
|
||||||
server.use(checkSSL);
|
expressServer.use(checkSSL);
|
||||||
|
|
||||||
// Admin only config
|
// Admin only config
|
||||||
expressServer.use(root + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets'))));
|
expressServer.use(root + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets'))));
|
||||||
@ -242,11 +246,23 @@ module.exports = function (server, dbHash) {
|
|||||||
expressServer.use(root + '/ghost/api/v0.1/db/', middleware.busboy);
|
expressServer.use(root + '/ghost/api/v0.1/db/', middleware.busboy);
|
||||||
|
|
||||||
// Session handling
|
// Session handling
|
||||||
|
cookie = {
|
||||||
|
path: root + '/ghost',
|
||||||
|
maxAge: 12 * oneHour
|
||||||
|
};
|
||||||
|
|
||||||
|
// if SSL is forced, add secure flag to cookie
|
||||||
|
// parameter is true, since cookie is used with admin only
|
||||||
|
if (isSSLrequired(true)) {
|
||||||
|
cookie.secure = true;
|
||||||
|
}
|
||||||
|
|
||||||
expressServer.use(express.cookieParser());
|
expressServer.use(express.cookieParser());
|
||||||
expressServer.use(express.session({
|
expressServer.use(express.session({
|
||||||
store: new BSStore(models),
|
store: new BSStore(models),
|
||||||
|
proxy: true,
|
||||||
secret: dbHash,
|
secret: dbHash,
|
||||||
cookie: { path: root + '/ghost', maxAge: 12 * 60 * 60 * 1000 }
|
cookie: cookie
|
||||||
}));
|
}));
|
||||||
|
|
||||||
//enable express csrf protection
|
//enable express csrf protection
|
||||||
|
Loading…
Reference in New Issue
Block a user