Django Strategy: support for X-Forwarded-* headers #741
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@omab I'm not sure who should I talk to to get this merged, so starting with you. The test failure is something that happened with all the other PRs opened at that time, plus it only happens to |
e-kolpakov
force-pushed
the
ekolpakov/reverse-proxy-django-support
branch
from
f2970ac to
172d90e
Compare
| if self.setting("RESPECT_X_FORWARDED_HEADERS", False): | ||
| forwarded_host = self.request.META.get('HTTP_X_FORWARDED_PORT') | ||
| if forwarded_host: | ||
| return forwarded_host |
There was a problem hiding this comment.
@e-kolpakov don't you want to return the port here rather than the host?
…nfigured to do so
e-kolpakov
force-pushed
the
ekolpakov/reverse-proxy-django-support
branch
from
172d90e to
cf2c6f8
Compare
|
Closing in favor of #841 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description: This PR adds support for getting host and port from X-Forwarded-* headers, if they are available.
Related: edx/edx-solutions-edx-platform#530, https://github.com/edx/edx-platform/pull/9848
Motivation: If an application using PSA is running behind the reverse proxy on a non-standard port, PSA (python-saml, to be precise) fails checking the SAML assertion response with message "Authentication failed: SAML login failed: ['invalid_response'] The response was received at http://host:port instead of http://host".
Common way of passing original host and port to proxied app is using X-Forwarded-* headers. Some webservers (i.e. gunicorn) already respect those headers and pass them to django as "real" host and port (i.e.
request.get_host()andrequest.META['SERVER_PORT']actually return X-Forwarded-Host and X-Forwarded-Port` values). Other webservers (i.e. django dev server, nginx(?)) does not do so.This PR adds a web-server-agnostic way to use PSA behind the reverse proxy.
Author concerns:
1.1. It is already working fine; clients should either use web-servers that respect X-Forwarded-* headers, or solve this issue in some other, non-PSA-related way.
1.2. Clients should provide custom strategy with
request-hostandrequest_portoverridden (i.e. follow the same approach as in https://github.com/edx/edx-platform/pull/9848)