From e2dd61af66bd88c18eda1b7a96689e0476a2a510 Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 27 Feb 2025 08:43:14 -0500 Subject: [PATCH 1/3] Pass through forwarded Host & Port --- config/root/etc/nginx/nginx.conf | 36 +++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/config/root/etc/nginx/nginx.conf b/config/root/etc/nginx/nginx.conf index f09c02e1..1ccc5046 100644 --- a/config/root/etc/nginx/nginx.conf +++ b/config/root/etc/nginx/nginx.conf @@ -50,6 +50,38 @@ http { gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + # X-Forwarded-Host (pass-through, or set) + map $http_x_forwarded_host $x_forwarded_host { + default $http_x_forwarded_host; + "" $http_host; + } + + # X-Forwarded-Proto (pass-through, or set) + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + # Set the default port based on X-Forwarded-Proto + map $x_forwarded_proto $default_http_port { + default 80; + "https" 443; + } + + # Extract the remote port from the HTTP Host header. + # Uses default_http_port from above, + # when no port was found in the header. + map $http_host $x_remote_port { + default $default_http_port; + "~^[^\:]+:(?

\d+)$" $p; + } + + # X-Forwarded-Port (pass-through, or set) + map $http_x_forwarded_port $x_forwarded_port { + default $http_x_forwarded_port; + "" $x_remote_port; + } + # Site server { @@ -72,7 +104,9 @@ http { location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host localhost; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $x_forwarded_host; + proxy_set_header X-Forwarded-Port $x_forwarded_port; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; From beeaafe2464f310104cab3e6393af5bb20e5bc25 Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 27 Feb 2025 08:51:09 -0500 Subject: [PATCH 2/3] Use the values from `nginx` for CSRF Origin checks --- tubesync/tubesync/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tubesync/tubesync/settings.py b/tubesync/tubesync/settings.py index c9332fcd..a9f4061c 100644 --- a/tubesync/tubesync/settings.py +++ b/tubesync/tubesync/settings.py @@ -119,6 +119,8 @@ Disallow: / '''.strip() +USE_X_FORWARDED_HOST = True +USE_X_FORWARDED_PORT = True X_FRAME_OPTIONS = 'SAMEORIGIN' From e04562d8befbd1d60d8f8fb21b7906a7138b8c9b Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 27 Feb 2025 08:59:21 -0500 Subject: [PATCH 3/3] Add the port to the Host header Without this, port 80 may be assumed, which would be incorrect. --- config/root/etc/nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/root/etc/nginx/nginx.conf b/config/root/etc/nginx/nginx.conf index 1ccc5046..8a132d34 100644 --- a/config/root/etc/nginx/nginx.conf +++ b/config/root/etc/nginx/nginx.conf @@ -103,7 +103,7 @@ http { # Authentication and proxying location / { proxy_pass http://127.0.0.1:8080; - proxy_set_header Host localhost; + proxy_set_header Host localhost:8080; proxy_set_header X-Forwarded-Host $x_forwarded_host; proxy_set_header X-Forwarded-Port $x_forwarded_port; proxy_set_header X-Forwarded-Proto $x_forwarded_proto;