Majic Projects ~ [CLOSED] MAR-42 - WSGI website role does not configure Nginx to pass protocol information to WSGI server

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Bug report MAR-42 WSGI website role does not configure Nginx to pass protocol information to WSGI server

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Bug report Unknown issue type
Issue label

No label set
Category

Security Not determined
Targetted for

1.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Critical Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 15, 2024 - 10:15

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 15, 2024 - 10:15

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Oct 28, 2015
Last updated

Jan 20, 2016
Estimated time

1 hour Not estimated
Time spent

No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Always Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

The WSGI website role does not configure the Nginx virtual host to pass on the protocol information ('''X-Forwarded-Proto''') on to the WSGI server.

As a consequence, the application served by the WSGI web server will not know whether to generate HTTP or HTTPS URLs and redirects. This is a serious security issue!

The virtual host should be configured with the following option set for proxying:

proxy_set_header X-Forwarded-Proto $scheme;

Steps to reproduce this issue

# Deploy Django Wiki as described in the usage instructions.
# Try accessing the page https://wiki.example.com/ with a browser (make sure you are not logged-in).

Expected results
# You are redirected to the page stating that the root page is still missing, and that you need to log-in and set it.
# The page is served via '''HTTPS'''.

Expected results
# You are redirected to the page stating that the root page is still missing, and that you need to log-in and set it.
# The page is served via '''HTTP'''!

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password