docs: Also set X-Forwarded-Proto in proxies.

Django 4.0 and higher began checking the `Origin` header, which made it important that Zulip know accurately if the request came over HTTPS or HTTP; failure to do so would result in "CSRF verification failed" errors. For Zulip servers which are accessed via proxies, this means that `X-Fowarded-Proto` must be set accurately. Adjust the documentation for the suggested configurations to add the header. Fixes: #24599. Co-authored-by: Alex Vandiver <alexmv@zulip.com>
2023-03-06 14:18:09 -05:00 · 2023-03-06 14:18:09 -05:00 · 650cdc474d
parent 0407abc788
commit 650cdc474d
1 changed files with 10 additions and 0 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@ -455,6 +455,7 @@ that your Zulip server sits at `https://10.10.10.10:443`; see

           location / {
                   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+                   proxy_set_header        X-Forwarded-Proto $scheme;
                   proxy_set_header        Host $http_host;
                   proxy_http_version      1.1;
                   proxy_buffering         off;
@ -555,6 +556,8 @@ your Zulip server sits at `https://10.10.10.10:443`see
       bind *:80
       bind *:443 ssl crt /etc/ssl/private/zulip-combined.crt
       http-request redirect scheme https code 301 unless { ssl_fc }
+       http-request set-header X-Forwarded-Proto http unless { ssl_fc }
+       http-request set-header X-Forwarded-Proto https if { ssl_fc }
       default_backend zulip

   backend zulip
@ -580,6 +583,13 @@ things you need to be careful about when configuring it:
   has the actual IP addresses of clients, not the IP address of the
   proxy server.

+1. Configure your reverse proxy (or proxies) to correctly maintain the
+   `X-Forwarded-Proto` HTTP header, which is supposed to contain either `https`
+   or `http` depending on the connection between your browser and your
+   proxy. This will be used by Django to perform CSRF checks regardless of your
+   connection mechanism from your proxy to Zulip. Note that the proxies _must_
+   set the header, overriding any existing values, not add a new header.
+
 1. Configure your proxy to pass along the `Host:` header as was sent
   from the client, not the internal hostname as seen by the proxy.
   If this is not possible, you can set `USE_X_FORWARDED_HOST = True`