id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 27961,Misconfigured SECURE_PROXY_SSL_HEADER setting is ignored,cryptogun,nobody,"I'm using nginx + gunicorn and display pages via HTTPS: 1. Both default settings: Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;` Django setting: `SECURE_PROXY_SSL_HEADER = None` Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome. 2. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')` ''No redirect.'' 3. Use default setting in nginx; use a wrong setting in Django: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')` ''No redirect.'' 4. Use custom HTTPS indicator in both nginx and Django: proxy_set_header X-Forwarded-Protooo $scheme; `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'https')` ''No redirect.'' This is the expected behavior. 5. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'): proxy_set_header X-Forwarded-Protooo $scheme; `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')` Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior. 6. A fix testing by myself: Add an else clause under [https://github.com/django/django/blob/001cf53280f7e2b72199237f37c340d2639fe143/django/http/request.py#L196-L197 these lines]. {{{ else: return 'http' }}} And set: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')` Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''. Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left? If a site use 5. An attacker may set request `X-Forwarded-Proto` header to bypass the HTTPS check and result in 1,2,3.",Bug,closed,HTTP handling,1.10,Normal,fixed,redirect HTTPS X-Forwarded-Proto,,Accepted,0,0,0,0,0,0