Re: [Django] #33293: Wrong redirect behind reverse proxy

Tue, 16 Nov 2021 07:11:34 -0800 

#33293: Wrong redirect behind reverse proxy
-------------------------------+--------------------------------------
     Reporter:  Rodolphe       |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  closed
    Component:  contrib.admin  |                  Version:  3.0
     Severity:  Normal         |               Resolution:  invalid
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Keryn Knight):

 Whilst this isn't a support channel, I'll add some possibly helpful
 information below as a courtesy, and because who knows who else might
 stumble across this in the future.

 If your httpd (or whatever; could be a wsgi middleware etc) sets
 `SCRIPT_NAME` and `PATH_INFO` to the correct values, ''and'' (maybe; it's
 been a while) the setting
 [https://docs.djangoproject.com/en/3.2/ref/settings/#force-script-name
 FORCE_SCRIPT_NAME] to the prefix, anything that goes through
 `reverse`/`resolve` in terms of generated URLs (for `Location` redirects
 etc) should end up with the correct values.

 e.g. `return HttpResponseRedirect(reverse('admin:index', ...))` would be
 prefixed, but `return HttpResponseRedirect('/admin/')` would not.

 For transparent reverse-proxying of all URLs AFAIK you'd need further co-
 operation from either the WSGI publisher (e.g.
 [https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-
 proxy.html?highlight=url_prefix#using-url-prefix-to-influence-script-name-
 and-path-info See the waitress docs for their support]) or the fronting
 httpd (e.g.
 [https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse see
 Apache's ProxyPassReverse])

 Please note also this gentle reminder that you should ''not'' be using
 runserver in anything ostensibly like "production" - you should be using
 something designed for the purposes, such as
 gunicorn/uwsgi/mod_wsgi/waitress/bjoern/meinheld.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33293#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/072.7af1d310f34d0d8a261e12e017e1af2b%40djangoproject.com.

Reply via email to