[patchew-devel] Re: [PATCH] use X-Forwarded-Host header in HttpRequest.get_host()/get_port()
- From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
- To: patchew-devel@xxxxxxxxxxxxx, Fam Zheng <famz@xxxxxxxxxx>
- Date: Wed, 28 Feb 2018 16:39:57 +0100
On 28/02/2018 16:13, Fam Zheng wrote:
For the former, I wonder what are the risks to unconditionally do
ALLOWED_HOSTS = ["*"]
Django documentation says that "a fake Host value can be used for
Cross-Site Request Forgery, cache poisoning attacks, and poisoning links
in emails".
But I agree that it's okay for Patchew to set ALLOWED_HOSTS = ["*"],
with a comment that points to server_name in patchew-server.nginx.conf
as the right place for configuring patchew.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
# enable this if and only if you use HTTPS
# proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host localhost;
Actually, why not just change this to:
proxy_set_header Host $host;
That probably works too.
Paolo
Other related posts: