Merge pull request #786 from tcely/django-5-csrf

CSRF Fixes for Django 5.1
2025-06-22 04:56:35 +00:00 · 2025-02-28 06:08:32 +11:00 · 2025-02-28 06:08:32 +11:00 · 545b039fe9
commit 545b039fe9
parent e33d30a3d7 e04562d8be
2 changed files with 38 additions and 2 deletions
--- a/config/root/etc/nginx/nginx.conf
+++ b/config/root/etc/nginx/nginx.conf
@ -50,6 +50,38 @@ http {
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

+    # X-Forwarded-Host (pass-through, or set)
+    map $http_x_forwarded_host $x_forwarded_host {
+        default $http_x_forwarded_host;
+        ""      $http_host;
+    }
+
+    # X-Forwarded-Proto (pass-through, or set)
+    map $http_x_forwarded_proto $x_forwarded_proto {
+        default $http_x_forwarded_proto;
+        ""      $scheme;
+    }
+
+    # Set the default port based on X-Forwarded-Proto
+    map $x_forwarded_proto $default_http_port {
+        default 80;
+        "https" 443;
+    }
+ 
+    # Extract the remote port from the HTTP Host header.
+    # Uses default_http_port from above,
+    #     when no port was found in the header.
+    map $http_host $x_remote_port {
+        default                 $default_http_port;
+        "~^[^\:]+:(?<p>\d+)$"   $p;
+    }
+
+    # X-Forwarded-Port (pass-through, or set)
+    map $http_x_forwarded_port $x_forwarded_port {
+        default $http_x_forwarded_port;
+        ""      $x_remote_port;
+    }
+
    # Site
    server {

@ -71,8 +103,10 @@ http {
        # Authentication and proxying
        location / {
            proxy_pass http://127.0.0.1:8080;
-            proxy_set_header Host localhost;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host localhost:8080;
+            proxy_set_header X-Forwarded-Host $x_forwarded_host;
+            proxy_set_header X-Forwarded-Port $x_forwarded_port;
+            proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;
--- a/tubesync/tubesync/settings.py
+++ b/tubesync/tubesync/settings.py
@ -119,6 +119,8 @@ Disallow: /
 '''.strip()


+USE_X_FORWARDED_HOST = True
+USE_X_FORWARDED_PORT = True
 X_FRAME_OPTIONS = 'SAMEORIGIN'