Skip to content

Gunicorn / Django think we're not on https #1488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mlissner opened this issue Nov 30, 2020 · 1 comment
Closed

Gunicorn / Django think we're not on https #1488

mlissner opened this issue Nov 30, 2020 · 1 comment
Assignees
@mlissner
Labels
security

Comments

@mlissner
Copy link
Member

Gotta hand it to the security researchers: They do notice things from time to time. In this case, somebody noticed that our "Forgot Password" email was sending links with the http protocol instead of the https. That's pretty weird, but it makes sense after our switch to nginx in #1429. This is happening because gunicorn is accessed via a reverse proxy that uses http and doesn't know that our front end is only accessed via https.

The easy fix would be to simply update the email template to hard code https, but this is actually a canary in a coal mine. We need to tell gunicorn that everything should be treated as secure. To do that, we need to use Django's SECURE_PROXY_SSL_HEADER configuration.

We already send the correct headers via our proxy.conf nginx configuration. We just need to recognize them in our settings file.
@mlissner mlissner self-assigned this Nov 30, 2020
@mlissner
Copy link
Member Author

Fixed via 0806807

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mlissner mlissner

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mlissner