From 650cdc474d8781d4c7dc82aee663111ab9a26672 Mon Sep 17 00:00:00 2001 From: Toyam Cox Date: Mon, 6 Mar 2023 14:18:09 -0500 Subject: [PATCH] docs: Also set X-Forwarded-Proto in proxies. Django 4.0 and higher began checking the `Origin` header, which made it important that Zulip know accurately if the request came over HTTPS or HTTP; failure to do so would result in "CSRF verification failed" errors. For Zulip servers which are accessed via proxies, this means that `X-Fowarded-Proto` must be set accurately. Adjust the documentation for the suggested configurations to add the header. Fixes: #24599. Co-authored-by: Alex Vandiver --- docs/production/deployment.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/production/deployment.md b/docs/production/deployment.md index ee41bcb0b1..214fd0eccd 100644 --- a/docs/production/deployment.md +++ b/docs/production/deployment.md @@ -455,6 +455,7 @@ that your Zulip server sits at `https://10.10.10.10:443`; see location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_buffering off; @@ -555,6 +556,8 @@ your Zulip server sits at `https://10.10.10.10:443`see bind *:80 bind *:443 ssl crt /etc/ssl/private/zulip-combined.crt http-request redirect scheme https code 301 unless { ssl_fc } + http-request set-header X-Forwarded-Proto http unless { ssl_fc } + http-request set-header X-Forwarded-Proto https if { ssl_fc } default_backend zulip backend zulip @@ -580,6 +583,13 @@ things you need to be careful about when configuring it: has the actual IP addresses of clients, not the IP address of the proxy server. +1. Configure your reverse proxy (or proxies) to correctly maintain the + `X-Forwarded-Proto` HTTP header, which is supposed to contain either `https` + or `http` depending on the connection between your browser and your + proxy. This will be used by Django to perform CSRF checks regardless of your + connection mechanism from your proxy to Zulip. Note that the proxies _must_ + set the header, overriding any existing values, not add a new header. + 1. Configure your proxy to pass along the `Host:` header as was sent from the client, not the internal hostname as seen by the proxy. If this is not possible, you can set `USE_X_FORWARDED_HOST = True`