------------------------------------------------------------------------------ To reply, visit https://hellosplat.com/s/beanbag/tickets/5012/ ------------------------------------------------------------------------------
New update by HeroicAlbeit For Beanbag, Inc. > Review Board > Ticket #5012 Reply: ah, yes. thanks for responding. meanwhile I came cross your point 1. of rewriting the Host header to `<public server name>`, like you suggest. This, however, ran me into problems with Djangos' CSRF checks. To get these working I endet up with this in `settings_local.py`: ``` ALLOWED_HOSTS = [ "127.0.0.1", "<private instance ip>", ] CSRF_TRUSTED_ORIGINS = [ "http://<private instance ip>", "https://<public server name>" ] SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') ``` plus `proxy_set_header X-Forwarded-Proto https` in nginx.conf. The tweak here is to get it to send the correct protocoll to the outside, ie. `https://<public server name>/...` instead of `http://<public server name>/...`. This is because the API Gateway terminates the SSL. I have not done any header (re)writings on the API Gateway. So far I consider this a workaround, since - as far as I understand - it makes the CSRF checks pretty much useless. *(please tell me if I get that wrong, I have no understanding of how such attacks actually work and therefore what the risk is)* oh, another side observation: my Server name (in General Settings on the WebUI) was set to `http://<public server name>` by the installer and that still is so, despite me using `https://...` only. If I change this to `https://...` the CSRF checks break again. -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard-issues/20231108091448.22332.12640%40ip-10-1-54-209.ec2.internal.