Code

Opened 6 years ago

Closed 3 years ago

#6548 closed (duplicate)

django behind apache ssl proxy

Reported by: laureline.guerin@… Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords:
Cc: anball@… Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by ramiro)

I've seen some code in http/__init__.py:get_host function to handle X-FORWARDED-HOST that could be added by an apache proxy.

Unfortunately, there is no way to determine if proxy is acceded in https or http, so an issue occures when django wants to build an url for some Redirect : the url is built using the X-FORWARDED-HOST, but always assume that the proxy is non-SSL.

I think there could be some solutions to solve this issue :

  • Remove test for X-FORWARDED-HOST in get_host, apache mod_proxy is designed to rewrite Location headers (used in redirect)
  • If some people want to have X-FORWARDED-HOST handled in get_host, then add a setting to enable or disable it
  • add a setting like 'HTTPS_PROXY=on' that would work like HTTPS=ON

Attachments (0)

Change History (6)

comment:1 Changed 6 years ago by Simon Greenhill <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

Can you raise this on the django-developers mailing list?

comment:2 Changed 6 years ago by ramiro

  • Description modified (diff)

comment:3 Changed 5 years ago by anonymous

  • Cc anball@… added

comment:4 Changed 4 years ago by calexium

A better solution, I think, should be to use another header (X-FORWARDER-PROTO for example) containing the scheme used by the proxy (http or https). And check into HttpRequest.is_secure() function is this header exists. If not, then use the current way.

comment:5 Changed 4 years ago by gisle

I had the same issue here and worked around it by adding one more ProxyPassReverse line to my Apache configuration. Something like this:

<VirutalHost *:443>
   ServerName foo.example.com
   ProxyPass / http://localhost:8082/
   ProxyPassReverse / http://localhost:8082/
   ProxyPassReverse / http://foo.example.com/
   Include ssl-sert
</VirtualHost>

comment:6 Changed 3 years ago by aaugustin

  • Resolution set to duplicate
  • Status changed from new to closed

This is a duplicate of #6880. The issue in both tickets is that Django tries to perform some magic by using the non-standard (and insecure) X-Forwarded-For header, and that breaks redirects.

The latest patch for #6880 implements the first option offered by the OP: remove test for X-FORWARDED-HOST in get_host.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.