id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 27961 Misconfigured SECURE_PROXY_SSL_HEADER setting is ignored cryptogun nobody "I'm using nginx + gunicorn and display pages via HTTPS: 1. Both default settings: Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;` Django setting: `SECURE_PROXY_SSL_HEADER = None` Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome. 2. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')` ''No redirect.'' 3. Use default setting in nginx; use a wrong setting in Django: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')` ''No redirect.'' 4. Use custom HTTPS indicator in both nginx and Django: proxy_set_header X-Forwarded-Protooo $scheme; `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'https')` ''No redirect.'' This is the expected behavior. 5. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'): proxy_set_header X-Forwarded-Protooo $scheme; `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')` Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior. 6. A fix testing by myself: Add an else clause under [https://github.com/django/django/blob/001cf53280f7e2b72199237f37c340d2639fe143/django/http/request.py#L196-L197 these lines]. {{{ else: return 'http' }}} And set: `proxy_set_header X-Forwarded-Proto $scheme;` `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')` Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''. Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left? If a site use 5. An attacker may set request `X-Forwarded-Proto` header to bypass the HTTPS check and result in 1,2,3." Bug closed HTTP handling 1.10 Normal fixed redirect HTTPS X-Forwarded-Proto Accepted 0 0 0 0 0 0