Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite redirects with SSL HTTPS behind NGINX reverse proxy depending on configuration #934

Closed
gregelin opened this issue Jun 12, 2020 · 2 comments · Fixed by #935
Closed

Infinite redirects with SSL HTTPS behind NGINX reverse proxy depending on configuration #934

gregelin opened this issue Jun 12, 2020 · 2 comments · Fixed by #935
Labels
bug priority

Comments

@gregelin
Copy link
Contributor

gregelin commented Jun 12, 2020
edited
Loading

Combination of SECURE_SSL_REDIRECT = True and NGINX reverse proxy passing http rewrites can lead to infinite redirects.

This is noted in Django documentation.

If turning this to True causes infinite redirects, it probably means your site is running behind a proxy and can’t tell which requests are secure and which are not. Your proxy likely sets a header to indicate secure requests; you can correct the problem by finding out what that header is and configuring the SECURE_PROXY_SSL_HEADER setting accordingly.

Problem occurs when local/environment.json's govready-url includes scheme https:// (or deprecated "https": true) and NGINX has a redirect setting for port 80 that includes passing the $request_uri portion of the URL. It is necessary to include $request_uri in the redirect to pass invitations from HTTP to HTTPS.

Options to fix include setting a new in local/environment.json parameter:

  • "proxy": true to make sure that SECURE_SSL_REDIRECT is never set True behind a proxy.
  • "secure_ssl_redirect": false to force setting of SECURE_SSL_REDIRECT
  • "secure_ssl_redirect": true to force setting to true when DJANGO when you want DJANGO to manage the redirect.
@gregelin
Copy link
Contributor Author

It might be best to set SECURE_SSL_REDIRECT = False in siteapp/settings.py and permit an override from "secure_ssl_redirect": true in local/environment.json file.

In non-proxy environments, HTTPS would work with SECURE_SSL_REDIRECT set to false, and HTTP settings would fail as might be expected. Users that want to redirect could search the documentation and learn of the option to redirect.

Also, in proxied environments, the redirect would be managed by the proxied environment.

And the meaning of the scheme https:// in govready-url parameter (or deprecated "https": true) would continue to be accurate.

@gregelin
Copy link
Contributor Author

gregelin commented Jun 12, 2020
edited
Loading

Changes to make:

  • Update siteapp/settings.py to conditionally look for secure_ssl_redirect parameter in django's environment variables
  • Add comment to siteapp/settings.py explaining setting
  • Update installing GovReady-Q instructions. Be sure to include a note on infinite redirects.
  • Update nginx conf files to pass $request_uri in redirects
  • Update local-example configuration files
  • Update environment settings with secure_ssl_redirect in documentation
  • Alert colleagues

gregelin pushed a commit that referenced this issue Jun 12, 2020
@govreadydeploy
Fix #934 infinite redirects with SSL HTTPS & NGIX
64dce1b 
Fixes two issues.

First, updates NGINX configuration files to pass $request_uri
port of URL from port 80 to port 443. Failing to pass $request_uri
tosses user (and non-users with invites) to home page rather than
requested url.

Second, and more signficantly, scheme `https` in `govready-url`
parameter was also setting `SECURE_SSL_REDIRECT` at the Django app
causing infinite redirects behind an NGINX reverse proxy that was
terminating the SSL connection and passing to local `http://localhost:8000`.
Fix was to let `SECURE_SSL_REDIRECT` remain its default `False` and
add new parameter `secure_ssl_redirect` for situations when deployment
called on Django to handle redirect.
@gregelin gregelin mentioned this issue Jun 12, 2020
Merged
gregelin added a commit that referenced this issue Jun 12, 2020
@gregelin @govreadydeploy
Fix #934 infinite redirects with SSL HTTPS & NGIX (#935)
3badfad 
Fixes two issues.

First, updates NGINX configuration files to pass $request_uri
port of URL from port 80 to port 443. Failing to pass $request_uri
tosses user (and non-users with invites) to home page rather than
requested url.

Second, and more signficantly, scheme `https` in `govready-url`
parameter was also setting `SECURE_SSL_REDIRECT` at the Django app
causing infinite redirects behind an NGINX reverse proxy that was
terminating the SSL connection and passing to local `http://localhost:8000`.
Fix was to let `SECURE_SSL_REDIRECT` remain its default `False` and
add new parameter `secure_ssl_redirect` for situations when deployment
called on Django to handle redirect.

Co-authored-by: Greg Elin <greg.elin@govready.com>
@gregelin gregelin mentioned this issue Jun 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #934 infinite redirects with SSL HTTPS & NGIX GovReady/govready-q
1 participant
@gregelin