Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

werkzeug ProxyFix is configured to ignore all proxy values (was: Issues with admin and https) #558

Open
Konzertheld opened this issue Jul 12, 2019 · 6 comments

Comments

@Konzertheld
Copy link

commented Jul 12, 2019

In master, the admin login form on /admin sends the login credentials to http even when it is called on https. Also, css and svg files in admin won't load for me because of the mixed protocol. Apparently Firefox blocks loading unsecure resources on secured sites. I will investigate further and keep this ticket updated.

Relevant lines (serving as notes for myself and everyone investigating not familiar with the code yet):
https://github.com/posativ/isso/blob/master/isso/views/comments.py#L1099

@Konzertheld

This comment has been minimized.

Copy link
Author

commented Jul 12, 2019

Workaround: Setting server.public-endpoint to https://comments.example.org without trailing slash

@Konzertheld

This comment has been minimized.

Copy link
Author

commented Jul 14, 2019

I figured that the issue is in werkzeug.local that is called in the mentioned line as a fallback for public-endpoint. The returned value for local.host has http as protocol even if the host defined in the config has https and the page is called via https.

@Konzertheld Konzertheld changed the title Issues with admin and https local.host loses https protocol (was: Issues with admin and https) Jul 14, 2019
@Konzertheld Konzertheld changed the title local.host loses https protocol (was: Issues with admin and https) local.host is missing https protocol (was: Issues with admin and https) Jul 14, 2019
@Konzertheld

This comment has been minimized.

Copy link
Author

commented Jul 14, 2019

Got it. local.host is set on dispatch, which uses the host() function in wsgi.py, precisely this line is responsible:

url = environ['wsgi.url_scheme'] + '://'

And the url_scheme referenced there comes down to http or https based on a variable ssl_context being set or not in the server class, which seems to be always unset, based on this line in the same file:

self.ssl_context = None

If I do SSL termination with Nginx reverse proxy, I use X-Forwarded-Proto which should be respected somewhere but is not.

@Konzertheld

This comment has been minimized.

Copy link
Author

commented Jul 14, 2019

To me this looks like the appropriate point where the X_FORWARDED_PROTO should be taken care of is in werkzeug. There are too many places where values set by werkzeug are used by isso to fix this in isso itself.

@Konzertheld

This comment has been minimized.

Copy link
Author

commented Jul 14, 2019

And indeed werkzeug does look at X_FORWARDED_PROTO but ignores it because it is set to trust 0 proxies. At which point I am out because I have no idea how to configure that in isso.

@Konzertheld Konzertheld changed the title local.host is missing https protocol (was: Issues with admin and https) werkzeug ProxyFix is configured to ignore all proxy values (was: Issues with admin and https) Jul 14, 2019
@seyuf

This comment has been minimized.

Copy link

commented Sep 3, 2019

Thanks @Konzertheld for the workaround 👍 .
However, even after setting the public endpoint, the admin seems to be redirected from https to http after the login ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.