HTTP_X_FORWARDED_PROTO is bypassed

[cryptogun]

I'm using nginx + gunicorn and display pages via HTTPS:

1. Both default settings:

Nginx setting: proxy_set_header X-Forwarded-Proto $scheme;
Django setting: HTTP_X_FORWARDED_PROTO=None
Result: No redirect. I'm not getting a ERR_TOO_MANY_REDIRECTS complain from Chrome.

2. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part:

proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTO='httpssssssss'
No redirect.

3. Use default setting in nginx; use a wrong setting in Django:

proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTASDF='httpssssssss'
No redirect.

4. Use custom HTTPS indicator in both nginx and Django:

proxy_set_header X-Forwarded-Protooo $scheme;
HTTP_X_FORWARDED_PROTOOO='https'
No redirect. This is the expected behavior.

5. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'):

proxy_set_header X-Forwarded-Protooo $scheme;
HTTP_X_FORWARDED_PROTOOO='httpsssss'
Chrome complains ERR_TOO_MANY_REDIRECTS. This is the expected behavior.

6. A fix testing by myself:

Add an else clause under [these lines](​https://github.com/django/django/blob/master/django/http/request.py#L196-L197).

            else:
                return 'http'

And set:
proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTO='httpssssssss'
Chrome would report the expected ERR_TOO_MANY_REDIRECTS.

Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left?
If a site use 5. An attacker may set request X-Forwarded-Proto header to bypass the HTTPS check and result in 1,2,3.

[Tim Graham]

I'm having trouble understanding the report. What is the second line in each item (e.g. HTTP_X_FORWARDED_PROTO=None supposed to represent? Values of the ​SECURE_PROXY_SSL_HEADER setting? By the way, if there is a security issue here, please ​report the issue to the security team.