The URL for the allow list script on the admin page should be "HTTPS" in live

[jon-betts]

Currently the admin page gives a command to run to upload allow rules, but the route it gives to call it on is always "HTTP" rather than the "HTTPS" it needs to be to work anywhere other than locally.

This requires you to edit this before you run it and will cause confusion one day:

• Fix the bug
• Remove the statements from https://stackoverflow.com/c/hypothesis/questions/448/449#449 about this

This was created as a result of: #195

[jon-betts]

There's quite a chain of calls inside route_url, but I think we need to have the environment variable wsgi.url_scheme for webob.request:BaseRequest.host_url() to pick up.

This is set by gunicorn I think in response to certain headers as specified here: https://docs.gunicorn.org/en/stable/settings.html#secure-scheme-headers. The defaults are:

{'X-FORWARDED-PROTOCOL': 'ssl', 'X-FORWARDED-PROTO': 'https', 'X-FORWARDED-SSL': 'on'}

So best guess first is this isn't getting passed on for some reason.

[jon-betts]

It seems like by default ElasticBeanstalk should be sending X-FORWARDED-PROTO:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-proto

Edit: I'm not sure this is the right thing, or we're even using it. Ian is going to take a look as this is getting outside of my comfort zone.

[indigobravo]

I have taken a look into this issue, but I have not been able to find a workable solution. Here is a link to a slack thread where we have discussed the problem further. https://hypothes-is.slack.com/archives/CR3E3S7K8/p1616521583023800

I can take another look into this, but I am going to need to scheduled this after the work to get Canada deployed complete.

[jon-betts]

I think this is enough to park this for now:

• The immediate impact is low
• It doesn't look trivial to fix