Changes between Initial Version and Version 1 of Ticket #27961, comment 5


Ignore:
Timestamp:
Mar 23, 2017, 11:08:09 AM (8 years ago)
Author:
Tim Graham

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #27961, comment 5

    initial v1  
    1 Replying to [comment:4 Tim Graham]:
    2 > So case 1 is the bug case and in your settings you have `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', None)`? I can't see from the documentation what a `None` value there is supposed to do.
    3 
    4 Sorry, I forgot that it is SECURE_PROXY_SSL_HEADER setting. Re-updated my main ticket.
    5 There're 2 bug cases:
     1There are 2 bug cases:
    62- In case 1, with no Django complain, user don't know whether his/her setting is correct and whether the HTTPS setup correctly.
    7 - I case 4, using a custom header by admin, a MITM may happen by:
    8 user -- HTTP -- MITM(retrive password, set header: `HTTP_X_FORWARDED_PROTO: https`) -- nginx(header: `HTTP_X_FORWARDED_PROTO: https`, set header: `HTTP_X_FORWARDED_PROOO: http`) -- gunicorn(Pass, no user redirect because `HTTP_X_FORWARDED_PROTO == https`) -- Django(`is_secure() == True` because there's no `else clause`).
     3- In case 4, using a custom header by admin, a MITM may happen by:
     4user -- HTTP -- MITM(retrive password, set header: `HTTP_X_FORWARDED_PROTO: https`) -- nginx(header: `HTTP_X_FORWARDED_PROTO: https`, set header: `HTTP_X_FORWARDED_PROOO: http`) -- gunicorn(Pass, no user redirect because `HTTP_X_FORWARDED_PROTO == https`) -- Django(`is_secure() == True` because there's no `else` clause).
Back to Top