Majic Projects
previous_open_issue.png
Go to the previous open issue
previous_issue.png
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
bug_report_small.png
Closed Bug report MAR-42 WSGI website role does not configure Nginx to pass protocol information to WSGI server
next_issue.png
Go to the next issue (open or closed)
next_open_issue.png
Go to the next open issue
icon_info.png This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Bug report
  • Category
    Security
  • Targetted for
    1.0.0
  • Status
    Closed
  • Progress
  • Priority
    Critical
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    1 hour
  • Time spent
    No time spent
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
  • Reproducability
    Always
  • Severity
    Not determined
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description
The WSGI website role does not configure the Nginx virtual host to pass on the protocol information ('''X-Forwarded-Proto''') on to the WSGI server.

As a consequence, the application served by the WSGI web server will not know whether to generate HTTP or HTTPS URLs and redirects. This is a serious security issue!

The virtual host should be configured with the following option set for proxying:

proxy_set_header X-Forwarded-Proto $scheme;
Steps to reproduce this issue
# Deploy Django Wiki as described in the usage instructions.
# Try accessing the page https://wiki.example.com/ with a browser (make sure you are not logged-in).

Expected results
# You are redirected to the page stating that the root page is still missing, and that you need to log-in and set it.
# The page is served via '''HTTPS'''.

Expected results
# You are redirected to the page stating that the root page is still missing, and that you need to log-in and set it.
# The page is served via '''HTTP'''!
Comments ()
History