-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite redirects with SSL HTTPS behind NGINX reverse proxy depending on configuration #934
Comments
It might be best to set In non-proxy environments, Also, in proxied environments, the redirect would be managed by the proxied environment. And the meaning of the scheme |
Changes to make:
|
Fixes two issues. First, updates NGINX configuration files to pass $request_uri port of URL from port 80 to port 443. Failing to pass $request_uri tosses user (and non-users with invites) to home page rather than requested url. Second, and more signficantly, scheme `https` in `govready-url` parameter was also setting `SECURE_SSL_REDIRECT` at the Django app causing infinite redirects behind an NGINX reverse proxy that was terminating the SSL connection and passing to local `http://localhost:8000`. Fix was to let `SECURE_SSL_REDIRECT` remain its default `False` and add new parameter `secure_ssl_redirect` for situations when deployment called on Django to handle redirect.
Fixes two issues. First, updates NGINX configuration files to pass $request_uri port of URL from port 80 to port 443. Failing to pass $request_uri tosses user (and non-users with invites) to home page rather than requested url. Second, and more signficantly, scheme `https` in `govready-url` parameter was also setting `SECURE_SSL_REDIRECT` at the Django app causing infinite redirects behind an NGINX reverse proxy that was terminating the SSL connection and passing to local `http://localhost:8000`. Fix was to let `SECURE_SSL_REDIRECT` remain its default `False` and add new parameter `secure_ssl_redirect` for situations when deployment called on Django to handle redirect. Co-authored-by: Greg Elin <greg.elin@govready.com>
Combination of
SECURE_SSL_REDIRECT = True
and NGINX reverse proxy passing http rewrites can lead to infinite redirects.This is noted in Django documentation.
Problem occurs when
local/environment.json
'sgovready-url
includes schemehttps://
(or deprecated"https": true
) and NGINX has a redirect setting for port 80 that includes passing the$request_uri
portion of the URL. It is necessary to include$request_uri
in the redirect to pass invitations fromHTTP
toHTTPS
.Options to fix include setting a new in
local/environment.json
parameter:"proxy": true
to make sure thatSECURE_SSL_REDIRECT
is never set True behind a proxy."secure_ssl_redirect": false
to force setting ofSECURE_SSL_REDIRECT
"secure_ssl_redirect": true
to force setting to true when DJANGO when you want DJANGO to manage the redirect.The text was updated successfully, but these errors were encountered: