-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF_TRUSTED_ORIGINS no longer filled by EXTERNAL_HOST #24599
Comments
This would be fixed by a documentation change. nginx reverse proxies (and probably others) need to set the scheme correctly when doing forwarding:
|
Hello @zulip/server-production members, this issue was labeled with the "area: production", "area: documentation (production)" labels, so you may want to check it out! |
@Vaelatern I am really too excited to contribute to this issue, please please assign it to me. |
@zulipbot Please Assign it to me I can come up with a solution soon. |
I have a PR open.... |
@zulipbot claim |
Hello @sivangbagri! Thanks for your interest in Zulip! You have attempted to claim an issue without the label "help wanted". You can only claim and submit pull requests for issues with the help wanted label. If this is your first time here, we recommend reading our guide for new contributors before getting started. |
Django 4.0 and higher began checking the `Origin` header, which made it important that Zulip know accurately if the request came over HTTPS or HTTP; failure to do so would result in "CSRF verification failed" errors. For Zulip servers which are accessed via proxies, this means that `X-Fowarded-Proto` must be set accurately. Adjust the documentation for the suggested configurations to add the header. Fixes: zulip#24599. Co-authored-by: Alex Vandiver <alexmv@zulip.com>
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also #24599 and zulip/docker-zulip#403.
Combine nginx and Django middlware to stop putting misleading warnings about `CSRF_TRUSTED_ORIGINS` when the issue is untrusted proxies. This attempts to, in the error logs, diagnose and suggest next steps to fix common proxy misconfigurations. See also zulip#24599 and zulip/docker-zulip#403. (cherry picked from commit 8a77cca)
Summary: Zulip 5.0 -> 6.1. I had to adjust my
settings.py
to includeCSRF_TRUSTED_ORIGINS
and filled the array with the value already inEXTERNAL_HOST
. This seems to be due to a django change in 4.0 where theCSRF_TRUSTED_ORIGINS
array no longer gets populated by headers that are missing the scheme.Thread: https://chat.zulip.org/#narrow/stream/9-issues/topic/Zulip.206.2E0.20behind.20reverse.20proxy.20-.20CSRF.20verification.20failed
Possible upstream note (changed in 4.0): https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins
From the 5.0 server (works without change):
From the 6.1 server (Before change, most queries failing with
After the fix (server operating normally):
To be clear, I set
CSRF_TRUSTED_ORIGINS
to that value in mysettings.py
, there is nothing there that is unexpected.Possible reason it's rare for people to notice this: If the scheme matches what the server is listening on, then perhaps Django checks with
ALLOWED_HOSTS
. However since I'm passinghttps
traffic through a reverse proxy tohttp
perhaps that is where Django is getting confused. It is possible that if I set a self-signed certificate, this issue would not have bit me.The text was updated successfully, but these errors were encountered: