Fixes #1402 - Add support for configuring X_FORWARDED_HOST. (#1403)

This is Needed for some proxies.
tl-its-umich-edu · Sep 13, 2022 · fd6ece4 · fd6ece4
1 parent 08fbe04
commit fd6ece4
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/config/env_sample.hjson b/config/env_sample.hjson
@@ -55,6 +55,8 @@
     # This needs to be true for deployments or when testing LTI with ngrok or loophole.
     "CSRF_COOKIE_SECURE": false,
     "CSRF_TRUSTED_ORIGINS": ["instructure.com"],
+    # If you have a proxy that sets this header then set this to true. Default is false
+    "USE_X_FORWARDED_HOST": false,
     # SameSite settings for Session and CSRF (defaults in settings.py should work), if you do want non-string None set to null.
     "SESSION_COOKIE_SAMESITE": "None",
     "CSRF_COOKIE_SAMESITE": "None",

diff --git a/dashboard/settings.py b/dashboard/settings.py
@@ -422,6 +422,7 @@ def apply_env_overrides(env: Dict[str, Any], environ: os._Environ) -> Dict[str,
     CSRF_TRUSTED_ORIGINS = ENV.get("CSRF_TRUSTED_ORIGINS", [])
     SESSION_COOKIE_SECURE = True
     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+    USE_X_FORWARDED_HOST = ENV.get('USE_X_FORWARDED_HOST', False)
 
 # When using the application with iframes (e.g. with LTI), these need to be set to None. However, we'll need to update
 # this when new browser versions expect (and the Django version allows) the string "None".