Changes between Version 2 and Version 5 of Ticket #27961


Ignore:
Timestamp:
03/21/2017 02:26:52 AM (15 months ago)
Author:
cryptogun
Comment:

There are 2 bug cases:

  • In case 1, with no Django complain, user don't know whether his/her setting is correct and whether the HTTPS setup correctly.
  • In case 4, using a custom header by admin, a MITM may happen by:

user -- HTTP -- MITM(retrive password, set header: HTTP_X_FORWARDED_PROTO: https) -- nginx(header: HTTP_X_FORWARDED_PROTO: https, set header: HTTP_X_FORWARDED_PROOO: http) -- gunicorn(Pass, no user redirect because HTTP_X_FORWARDED_PROTO == https) -- Django(is_secure() == True because there's no else clause).

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #27961 – Description

    v2 v5  
    221. Both default settings:
    33Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;`
    4 Django setting: `HTTP_X_FORWARDED_PROTO=None`
     4Django setting: ~~`HTTP_X_FORWARDED_PROTO=None`~~ `SECURE_PROXY_SSL_HEADER = None`
    55Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome.
    66
    772. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part:
    88`proxy_set_header X-Forwarded-Proto $scheme;`
    9 `HTTP_X_FORWARDED_PROTO='httpssssssss'`
     9~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
    1010''No redirect.''
    1111
    12123. Use default setting in nginx; use a wrong setting in Django:
    1313`proxy_set_header X-Forwarded-Proto $scheme;`
    14 `HTTP_X_FORWARDED_PROTASDF='httpssssssss'`
     14~~`HTTP_X_FORWARDED_PROTASDF='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')
    1515''No redirect.''
    1616
    17174. Use custom HTTPS indicator in both nginx and Django:
    1818proxy_set_header X-Forwarded-Protooo $scheme;
    19 `HTTP_X_FORWARDED_PROTOOO='https'`
     19~~`HTTP_X_FORWARDED_PROTOOO='https'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'https')
    2020''No redirect.'' This is the expected behavior.
    2121
    22225. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'):
    2323proxy_set_header X-Forwarded-Protooo $scheme;
    24 `HTTP_X_FORWARDED_PROTOOO='httpsssss'`
     24~~`HTTP_X_FORWARDED_PROTOOO='httpsssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')
    2525Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior.
    2626
     
    3535And set:
    3636`proxy_set_header X-Forwarded-Proto $scheme;`
    37 `HTTP_X_FORWARDED_PROTO='httpssssssss'`
     37~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
    3838Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''.
    3939 
Back to Top