tornado: Fix Tornado CSRF check with X-Forwarded-Proto.

Since Django factors request.is_secure() into its CSRF check, we need
this to tell it to consider requests forwarded from nginx to Tornado
as secure.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2022-09-23 14:24:11 -07:00 committed by Tim Abbott
parent f992116d9f
commit ce9ceb7f9f
2 changed files with 3 additions and 0 deletions

View File

@ -3,6 +3,7 @@ proxy_http_version 1.1;
# http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive # http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Ip $remote_addr; proxy_set_header X-Real-Ip $remote_addr;
proxy_next_upstream off; proxy_next_upstream off;

View File

@ -13,6 +13,8 @@ from tornado import autoreload
from tornado.platform.asyncio import AsyncIOMainLoop from tornado.platform.asyncio import AsyncIOMainLoop
settings.RUNNING_INSIDE_TORNADO = True settings.RUNNING_INSIDE_TORNADO = True
if settings.PRODUCTION:
settings.SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
from zerver.lib.async_utils import NoAutoCreateEventLoopPolicy from zerver.lib.async_utils import NoAutoCreateEventLoopPolicy
from zerver.lib.debug import interactive_debug_listen from zerver.lib.debug import interactive_debug_listen