From ce9ceb7f9f88d8bc05d0f4b80ac76639fd8e06eb Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Fri, 23 Sep 2022 14:24:11 -0700 Subject: [PATCH] tornado: Fix Tornado CSRF check with X-Forwarded-Proto. Since Django factors request.is_secure() into its CSRF check, we need this to tell it to consider requests forwarded from nginx to Tornado as secure. Signed-off-by: Anders Kaseorg --- puppet/zulip/files/nginx/zulip-include-common/proxy | 1 + zerver/management/commands/runtornado.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/puppet/zulip/files/nginx/zulip-include-common/proxy b/puppet/zulip/files/nginx/zulip-include-common/proxy index be2b698162..756bbcd7b2 100644 --- a/puppet/zulip/files/nginx/zulip-include-common/proxy +++ b/puppet/zulip/files/nginx/zulip-include-common/proxy @@ -3,6 +3,7 @@ proxy_http_version 1.1; # http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive proxy_set_header Connection ""; proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-Ip $remote_addr; proxy_next_upstream off; diff --git a/zerver/management/commands/runtornado.py b/zerver/management/commands/runtornado.py index a0339a2f53..ca13be9f9b 100644 --- a/zerver/management/commands/runtornado.py +++ b/zerver/management/commands/runtornado.py @@ -13,6 +13,8 @@ from tornado import autoreload from tornado.platform.asyncio import AsyncIOMainLoop settings.RUNNING_INSIDE_TORNADO = True +if settings.PRODUCTION: + settings.SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") from zerver.lib.async_utils import NoAutoCreateEventLoopPolicy from zerver.lib.debug import interactive_debug_listen