--- loncom/interface/domainprefs.pm	2021/04/18 02:08:46	1.381
+++ loncom/interface/domainprefs.pm	2021/04/29 17:45:22	1.382
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set domain-wide configuration settings
 #
-# $Id: domainprefs.pm,v 1.381 2021/04/18 02:08:46 raeburn Exp $
+# $Id: domainprefs.pm,v 1.382 2021/04/29 17:45:22 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -7423,12 +7423,13 @@ sub print_wafproxy {
             $itemcount ++;
             $css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
             my ($nowafstyle,$wafstyle,$curr_remotip,$currwafdisplay,$vpndircheck,$vpnaliascheck,
-                $currwafvpn,$wafrangestyle);
+                $currwafvpn,$wafrangestyle,$alltossl,$ssltossl);
             $wafstyle = ' style="display:none;"';
             $nowafstyle = ' style="display:table-row;"';
             $currwafdisplay = ' style="display: none"';
             $wafrangestyle = ' style="display: none"';
             $curr_remotip = 'n';
+            $ssltossl = ' checked="checked"';
             if ($showdom) {
                 $wafstyle = ' style="display:table-row;"';
                 $nowafstyle =  ' style="display:none;"';
@@ -7440,6 +7441,10 @@ sub print_wafproxy {
                         $currwafdisplay = ' style="display:table-row"';
                         $wafrangestyle = ' style="display:inline-block;"';
                     }
+                    if ($values{$dom}{'sslopt'}) {
+                        $alltossl = ' checked="checked"';
+                        $ssltossl = '';
+                    }
                 }
                 if (($values{$dom}{'vpnint'} ne '') || ($values{$dom}{'vpnext'} ne '')) {
                     $vpndircheck = ' checked="checked"';
@@ -7478,7 +7483,7 @@ sub print_wafproxy {
                           'name="wafproxy_ipheader" />'.
                           '</td></tr>'."\n".
                           '<tr id="wafproxy_trust"'.$currwafdisplay.'><td>'.
-                          $lt{'trusted'}.':&nbsp;'.
+                          $lt{'trusted'}.':<br />'.
                           '<textarea name="wafproxy_trusted" rows="3" cols="80">'.
                           $values{$dom}{'trusted'}.'</textarea>'.
                           '</td></tr>'."\n".
@@ -7491,12 +7496,19 @@ sub print_wafproxy {
                           $lt{'vpnaliased'}.'</label></span></td></tr>';
             foreach my $item ('vpnint','vpnext') {
                 $datatable .= '<tr id="wafproxy_show_'.$item.'"'.$currwafvpn.'>'.
-                              '<td valign="top">'.$lt{$item}.':&nbsp;'.
+                              '<td valign="top">'.$lt{$item}.':<br />'.
                               '<textarea name="wafproxy_'.$item.'" rows="3" cols="80">'.
                               $values{$dom}{$item}.'</textarea>'.
                               '</td></tr>'."\n";
             }
-            $datatable .= '</table></td></tr>';
+            $datatable .= '<tr><td><hr /></td></tr>'."\n".
+                          '<tr>'.
+                          '<td valign="top">'.$lt{'sslopt'}.':<br /><span class="LC_nobreak">'.
+                          '<label><input type="radio" name="wafproxy_sslopt"'.$alltossl.' value="1" />'.
+                          $lt{'alltossl'}.'</label>'.('&nbsp;'x2).
+                          '<label><input type="radio" name="wafproxy_sslopt"'.$ssltossl.' value="0" />'.
+                          $lt{'ssltossl'}.'</label></span></td></tr>'."\n".
+                          '</table></td></tr>';
         }
         if (keys(%otherdoms)) {
             foreach my $domain (sort(keys(%otherdoms))) {
@@ -7505,10 +7517,16 @@ sub print_wafproxy {
                 $datatable .= '<tr'.$css_class.'>'.
                               '<td class="LC_left_item">'.&mt('Domain: [_1]',$domain).'</td>'.
                               '<td class="LC_left_item"><table>';
-                foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
+                foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
                     my $showval = &mt('None');
+                    if ($item eq 'ssl') {
+                        $showval = $lt{'ssltossl'};
+                    }
                     if ($values{$domain}{$item}) {
                         $showval = $values{$domain}{$item};
+                        if ($item eq 'ssl') {
+                            $showval = $lt{'alltossl'};
+                        }
                     }
                     $datatable .= '<tr>'.
                                   '<td>'.$lt{$item}.':&nbsp;'.$showval.'</td></tr>';
@@ -7531,7 +7549,7 @@ sub wafproxy_titles {
                vpnaliased => 'via aliased hostname (WAF)',
                vpnint     => 'Internal IP Range(s) for VPN sessions',
                vpnext     => 'IP Range(s) for backend WAF connections',
-               ssloptions => 'Forwarding http/https',
+               sslopt     => 'Forwarding http/https',
                alltossl   => 'WAF forwards both http and https requests to https',
                ssltossl   => 'WAF forwards http requests to http and https to https',
            );
@@ -19826,7 +19844,7 @@ sub modify_wafproxy {
         if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
             %curralias = %{$domconfig{'wafproxy'}{'alias'}};
         }
-        foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
+        foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
             $currvalue{$item} = $domconfig{'wafproxy'}{$item};
         }
     }
@@ -19862,7 +19880,7 @@ sub modify_wafproxy {
                      vpnint => 'internal IP range(s) for VPN sessions(s)',
                      vpnext => 'IP range(s) for backend WAF connections',
                    );
-        foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
+        foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
             my $possible = $env{'form.wafproxy_'.$item};
             $possible =~ s/^\s+|\s+$//g;
             if ($possible ne '') {
@@ -19874,6 +19892,10 @@ sub modify_wafproxy {
                     if ($wafproxy{'remoteip'} eq 'h') {
                         $wafproxy{$item} = $possible;
                     }
+                } elsif ($item eq 'sslopt') {
+                    if ($possible =~ /^0|1$/) {
+                        $wafproxy{$item} = $possible;
+                    }
                 } else {
                     my (@ok,$count);
                     if (($item eq 'vpnint') || ($item eq 'vpnext')) {
@@ -19936,7 +19958,7 @@ sub modify_wafproxy {
         if ($putresult eq 'ok') {
             my $cachetime = 24*60*60;
             my (%domdefaults,$updatedomdefs);
-            foreach my $item ('ipheader','trusted','vpnint','vpnext') {
+            foreach my $item ('ipheader','trusted','vpnint','vpnext','sslopt') {
                 if ($changes{$item}) {
                     unless ($updatedomdefs) {
                         %domdefaults = &Apache::lonnet::get_domain_defaults($dom);
@@ -19973,7 +19995,7 @@ sub modify_wafproxy {
                 }
             }
             $output = &mt('Changes were made to Web Application Firewall/Reverse Proxy').'<ul>';
-            foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext') {
+            foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
                 if ($changes{$item}) {
                     if ($item eq 'alias') {
                         my $numaliased = 0;
@@ -20037,6 +20059,12 @@ sub modify_wafproxy {
                             } else {
                                 $output .= '<li>'.&mt('IP Range(s) for backend WAF connections deleted').'</li>';
                             }
+                        } elsif ($item eq 'sslopt') {
+                            if ($wafproxy{$item}) {
+                                $output .= '<li>'.&mt('WAF/Reverse Proxy expected to forward requests to https on LON-CAPA node, regardless of original protocol in web browser (http or https).').'</li>';
+                            } else {
+                                $output .= '<li>'.&mt('WAF/Reverse Proxy expected to preserve original protocol in web browser (either http or https) when forwarding to LON-CAPA node.').'</li>';
+                            }
                         }
                     }
                 }
