id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19517	Add support for X-Forwarded-Port to HttpRequest.get_host when USE_X_FORWARDED_HOST is in use	david_k_hess@…	nobody	"The use case is an app served on ports 80, 443 (SSL) and 444 (SSL) served by gunicorn behind nginx. I'm sending X-Forwarded-Host and X-Forwarded-Port from nginx to gunicorn. Port 80 is open solely to redirect to 443 and both are open to the public internet. 444 is firewalled and reserved for the admin interface which is protected by this middleware component:

{{{
class ProtectAdminMiddleware(object):
    def process_request(self, request):
        if request.path.startswith(""/admin"") and request.META[""HTTP_X_FORWARDED_PORT""] != ""444"":
            raise Http404
}}}

When turning on USE_X_FORWARDED_HOST, the code in HttpRequest.get_host does not take port into account:

{{{
    [...]
    if settings.USE_X_FORWARDED_HOST and (
        'HTTP_X_FORWARDED_HOST' in self.META):
        host = self.META['HTTP_X_FORWARDED_HOST']
    elif 'HTTP_HOST' in self.META:
        host = self.META['HTTP_HOST']
    [...]
}}}

Because of this, at least two things in the admin interface on port 444 don't function correctly; the CSRF token breaks saying there is a problem between referrer on 444 and token on 443 and you can't login. Also, redirects from say ""/admin"" on port 444 redirect to ""/admin/"" on 443 instead of staying on 444. That's just what I was able to reach with logins broken.

I monkey-patched HttpRequest.get_host to add support for X-Forwarded-Port when USE_X_FORWARDED_HOST is specified and it appears to have corrected these issues:

{{{
    [...]
    if settings.USE_X_FORWARDED_HOST and (
        'HTTP_X_FORWARDED_HOST' in self.META):
        host = self.META['HTTP_X_FORWARDED_HOST']
        if 'HTTP_X_FORWARDED_PORT' in self.META:
            server_port = str(self.META['HTTP_X_FORWARDED_PORT'])
            if server_port != (self.is_secure() and '443' or '80'):
                host = '%s:%s' % (host, server_port)
    elif 'HTTP_HOST' in self.META:
        host = self.META['HTTP_HOST']
    [...]
}}}"	Bug	closed	HTTP handling	1.4	Normal	wontfix	httprequest, get_host, X-Forwarded-Host, USE_X_FORWARDED_HOST	hirokiky@… matt@…	Accepted	1	0	0	0	1	0