id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 33569 Add support for multiple values for the x-forwarded-proto header Thomas Schmidt Thomas Schmidt "When Django is deployed behind more than one proxy, the proxy behavior is sometimes to list the protocol as a comma-separated list. However, currently, Django expects only one value for the `x-forwarded-proto` header, instead of parsing it as a list of values and setting the protocol accordingly. `x-forwarded-proto` is a non-standard header, so there isn't a specification for its use, but different reverse-proxy vendors do use it in different ways, and some append the protocol as a comma-separated value from left-to-right (left being the furthermost proxy and rightmost being the closest). Similar issues have been raised and implemented in other projects, for example: Tornado: * Issue: https://github.com/tornadoweb/tornado/issues/2161 * Implementation: https://github.com/tornadoweb/tornado/blob/00c9e0ae31a5a0d12e09109fb77ffe391bfe1131/tornado/httpserver.py#L347-L350 Ruby: * Issue: https://bugs.ruby-lang.org/issues/10789 * Implemenation: https://github.com/ruby/ruby/blob/d92f09a5eea009fa28cd046e9d0eb698e3d94c5c/tool/lib/webrick/httprequest.rb#L614-L616 Reactor-Netty: * https://github.com/reactor/reactor-netty/issues/976 * Implementation: https://github.com/reactor/reactor-netty/commit/e190d5bbf65d88d3a0240cd60b81e1ee1907030e Most implementation use the leftmost-value or rightmost value. I would expect that provided that you are certain that the initial proxy can be trusted, that the left-most value makes the most sense, since it represent the original value at the entry-point for the HTTP request which is often where TLS is being terminated. Common example of this behavior is when using mulitple AWS proxies such as API Gateway proxying to an elastic load balancer. " Cleanup/optimization closed HTTP handling dev Normal fixed Ready for checkin 1 0 0 0 0 0