------------------------------------------------------------------------------
To reply, visit https://hellosplat.com/s/beanbag/tickets/5012/
------------------------------------------------------------------------------

New update by HeroicAlbeit
For Beanbag, Inc. > Review Board > Ticket #5012


Reply:

    ah, yes. thanks for responding.
    
    meanwhile I came cross your point 1. of rewriting the Host header to 
`<public server name>`, like you suggest.
    
    This, however, ran me into problems with Djangos' CSRF checks. To get these 
working I endet up with this in `settings_local.py`:
    
    ```
       ALLOWED_HOSTS = [
           "127.0.0.1",
           "<private instance ip>",
       ]
       CSRF_TRUSTED_ORIGINS = [
           "http://<private instance ip>",
           "https://<public server name>"
       ]
       SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
    ```
    
    plus `proxy_set_header X-Forwarded-Proto https` in nginx.conf. The tweak 
here is to get it to send the correct protocoll to the outside, ie. 
`https://<public server name>/...` instead of `http://<public server 
name>/...`. This is because the API Gateway terminates the SSL.
    
    I have not done any header (re)writings on the API Gateway.
    
    So far I consider this a workaround, since - as far as I understand - it 
makes the CSRF checks pretty much useless. *(please tell me if I get that 
wrong, I have no understanding of how such attacks actually work and therefore 
what the risk is)*
    
    
    
    oh, another side observation: my Server name  (in General Settings on the 
WebUI) was set to `http://<public server name>` by the installer and that still 
is so, despite me using `https://...` only. If I change this to `https://...` 
the CSRF checks break again.

-- 
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/reviewboard-issues/20231108091448.22332.12640%40ip-10-1-54-209.ec2.internal.

Reply via email to