------------------------------------------------------------------------------
To reply, visit https://hellosplat.com/s/beanbag/tickets/5012/
------------------------------------------------------------------------------
New update by HeroicAlbeit
For Beanbag, Inc. > Review Board > Ticket #5012
Reply:
ah, yes. thanks for responding.
meanwhile I came cross your point 1. of rewriting the Host header to
`<public server name>`, like you suggest.
This, however, ran me into problems with Djangos' CSRF checks. To get these
working I endet up with this in `settings_local.py`:
```
ALLOWED_HOSTS = [
"127.0.0.1",
"<private instance ip>",
]
CSRF_TRUSTED_ORIGINS = [
"http://<private instance ip>",
"https://<public server name>"
]
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
```
plus `proxy_set_header X-Forwarded-Proto https` in nginx.conf. The tweak
here is to get it to send the correct protocoll to the outside, ie.
`https://<public server name>/...` instead of `http://<public server
name>/...`. This is because the API Gateway terminates the SSL.
I have not done any header (re)writings on the API Gateway.
So far I consider this a workaround, since - as far as I understand - it
makes the CSRF checks pretty much useless. *(please tell me if I get that
wrong, I have no understanding of how such attacks actually work and therefore
what the risk is)*
oh, another side observation: my Server name (in General Settings on the
WebUI) was set to `http://<public server name>` by the installer and that still
is so, despite me using `https://...` only. If I change this to `https://...`
the CSRF checks break again.
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/reviewboard-issues/20231108091448.22332.12640%40ip-10-1-54-209.ec2.internal.
