docs: Also set X-Forwarded-Proto in proxies.

Django 4.0 and higher began checking the `Origin` header, which made
it important that Zulip know accurately if the request came over HTTPS
or HTTP; failure to do so would result in "CSRF verification failed"
errors.

For Zulip servers which are accessed via proxies, this means that
`X-Fowarded-Proto` must be set accurately.  Adjust the documentation
for the suggested configurations to add the header.

Fixes: #24599.

Co-authored-by: Alex Vandiver <alexmv@zulip.com>
This commit is contained in:
Toyam Cox 2023-03-06 14:18:09 -05:00 committed by Alex Vandiver
parent 0407abc788
commit 650cdc474d
1 changed files with 10 additions and 0 deletions

View File

@ -455,6 +455,7 @@ that your Zulip server sits at `https://10.10.10.10:443`; see
location / { location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_buffering off; proxy_buffering off;
@ -555,6 +556,8 @@ your Zulip server sits at `https://10.10.10.10:443`see
bind *:80 bind *:80
bind *:443 ssl crt /etc/ssl/private/zulip-combined.crt bind *:443 ssl crt /etc/ssl/private/zulip-combined.crt
http-request redirect scheme https code 301 unless { ssl_fc } http-request redirect scheme https code 301 unless { ssl_fc }
http-request set-header X-Forwarded-Proto http unless { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default_backend zulip default_backend zulip
backend zulip backend zulip
@ -580,6 +583,13 @@ things you need to be careful about when configuring it:
has the actual IP addresses of clients, not the IP address of the has the actual IP addresses of clients, not the IP address of the
proxy server. proxy server.
1. Configure your reverse proxy (or proxies) to correctly maintain the
`X-Forwarded-Proto` HTTP header, which is supposed to contain either `https`
or `http` depending on the connection between your browser and your
proxy. This will be used by Django to perform CSRF checks regardless of your
connection mechanism from your proxy to Zulip. Note that the proxies _must_
set the header, overriding any existing values, not add a new header.
1. Configure your proxy to pass along the `Host:` header as was sent 1. Configure your proxy to pass along the `Host:` header as was sent
from the client, not the internal hostname as seen by the proxy. from the client, not the internal hostname as seen by the proxy.
If this is not possible, you can set `USE_X_FORWARDED_HOST = True` If this is not possible, you can set `USE_X_FORWARDED_HOST = True`