Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |  Owner:  nobody
   Type:  Bug| Status:  closed
  Milestone: |  Component:  HTTP handling
Version:  SVN|   Severity:  Normal
 Resolution:  fixed  |   Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |  Has patch:  1
Patch needs improvement:  0  |Needs tests:  1
  UI/UX:  0  |  Easy pickings:  0
-+-
Changes (by carljm):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 This was just fixed in trunk in r16758 as a potential security issue (and
 backported in 1.2.7 and 1.3.1); the fix is the same as that proposed here
 (USE_X_FORWARDED_HOST setting, defaults to False).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |  Owner:  nobody
   Type:  Bug| Status:  new
  Milestone: |  Component:  HTTP handling
Version:  SVN|   Severity:  Normal
 Resolution: |   Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |  Has patch:  1
Patch needs improvement:  0  |Needs tests:  1
  UI/UX:  0  |  Easy pickings:  0
-+-

Comment (by Kellen):

 Actually, I'm not sure why the patch wouldn't work for a double layer of
 proxies.

 front.com/ is rewritten to middle.com/app/  is rewritten to
 back.com/back/app/

 A redirect from back.com will point to back.com/back/app/redir/ which
 should be rewritten to middle.com/app/redir/ and then rewritten to
 front.com/redir/ by ProxyPassReverse on middle.com and front.com,
 respectively. That is to say: it would work like a normal apache instance,
 where the host to which a redirect is issued is the current host.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |  Owner:  nobody
   Type:  Bug| Status:  new
  Milestone: |  Component:  HTTP handling
Version:  SVN|   Severity:  Normal
 Resolution: |   Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |  Has patch:  1
Patch needs improvement:  0  |Needs tests:  1
  UI/UX:  0  |  Easy pickings:  0
-+-

Comment (by aaugustin):

 Replying to [comment:11 bastiao]:
 > The patch does not works with two apache (rewrite rules)
 > Apache -> Another Apache -> django server

 As explained in the docs (after applying the patch), the patch fixes
 redirects with any number of '''properly configured''' proxies, because
 each proxy rewrites the ``Location`` header appropriately.

 Of course, I may have missed something. If so, please provide some
 evidence :)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |  Owner:  nobody
   Type:  Bug| Status:  new
  Milestone: |  Component:  HTTP handling
Version:  SVN|   Severity:  Normal
 Resolution: |   Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |  Has patch:  1
Patch needs improvement:  0  |Needs tests:  1
  UI/UX:  0  |  Easy pickings:  0
-+-

Comment (by Kellen):

 Wouldn't having two levels of apache proxies be pretty uncommon? Wouldn't
 it be better for these users to face up to having an odd setup rather than
 forcing everyone doing a single level of proxying to adjust for these
 uncommon use cases?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |  Owner:  nobody
   Type:  Bug| Status:  new
  Milestone: |  Component:  HTTP handling
Version:  SVN|   Severity:  Normal
 Resolution: |   Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |  Has patch:  1
Patch needs improvement:  0  |Needs tests:  1
  UI/UX:  0  |  Easy pickings:  0
-+-
Changes (by bastiao):

 * ui_ux:   => 0
 * easy:   => 0


Comment:

 The patch does not works with two apache (rewrite rules)
 Apache -> Another Apache -> django server

 It can happen in enterprises with different levels of security. Is there
 any way to extract the exact address?
 For people with the same problem I suggest to write a function that import
 the site url from settings for production environment.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+-
   Reporter:  Kellen |Owner:  nobody
   Type:  Bug|   Status:  new
  Milestone: |Component:  HTTP handling
Version:  SVN| Severity:  Normal
 Resolution: | Keywords:  redirect
   Triage Stage:  Design |  httpresponseredirect get_host
  decision needed|  reverse proxy squid apache
Needs documentation:  0  |Has patch:  1
Patch needs improvement:  0  |  Needs tests:  1
-+-
Changes (by julien):

 * type:   => Bug
 * severity:   => Normal
 * needs_tests:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
--+-
   Reporter:  Kellen  | Owner:  nobody  
 
 Status:  new | Milestone:  
 
  Component:  HTTP handling   |   Version:  SVN 
 
 Resolution:  |  Keywords:  redirect 
httpresponseredirect get_host reverse proxy squid apache
   Triage Stage:  Design decision needed  | Has patch:  1   
 
Needs documentation:  0   |   Needs tests:  0   
 
Patch needs improvement:  0   |  
--+-

Comment (by aaugustin):

 #9064 shows that it is complicated to interpret `X-FORWARDED-HOST` when
 there is more than one proxy. It is also unnecessary when the proxies are
 properly configured. So it may be a good idea to drop it. That would close
 both this bug and #9064.

 Attached patch:
 - no longer interprets the `X-FORWARDED-HOST` header, as suggested in
 #6548, #9064, and `get_hostpatch.txt` posted by Kellen above,
 - removes a complicated warning in the docs about that header.

 This will certainly not make it in 1.3 so `versionchanged` must be changed
 to something other than 1.3 when applying the patch.

 Obviously, that would be slightly backwards incompatible, but `get_host`
 is already broken anyway for people who expect it to handle proxies. Is it
 necessary to mention it in the release notes?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
-+--
  Reporter:  Kellen  | Owner:  nobody   

Status:  new | Milestone:   

 Component:  HTTP handling   |   Version:  SVN  

Resolution:  |  Keywords:  redirect 
httpresponseredirect get_host reverse proxy squid apache
 Stage:  Design decision needed  | Has_patch:  1

Needs_docs:  0   |   Needs_tests:  0

Needs_better_patch:  0   |  
-+--
Changes (by Kellen):

  * stage:  Accepted => Design decision needed

Comment:

 Patch attached, per a conversation with SmileyChris in IRC, and per
 http://code.djangoproject.com/ticket/9064#comment:5

 (00:26:53) SmileyChris: Kellen`: i think the "right way" to do it would be
 to not use X_FORWARDED_HOST at all
 (00:27:06) SmileyChris: Kellen`: and use middleware to set it
 (00:27:12) SmileyChris: if it's needed
 ...
 (00:27:40) Kellen`: maybe it doesn't matter in the future if django will
 recommend wsgi only
 (00:28:10) SmileyChris: doesn't mean other cases are void
 (00:28:33) SmileyChris: my suggestion currently would be if someone needs
 that behaviour to write middleware which clears their FORWARDED_HOST var
 ...
 (00:33:32) Kellen`: shall i just submit a patch taking that line out,
 then?
 (00:33:55) SmileyChris: yeah, why not
 (00:34:04) SmileyChris: and move the ticket back to design decision
 (00:34:24) SmileyChris: also mention that someone could work around the
 current issue by using some middleware (in case anyone stumbles across it)
 (00:35:31) SmileyChris: Kellen`: note that the x meta var was there before
 i played with it, so it's not really my fault ;)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
+---
  Reporter:  Kellen | Owner:  nobody
   
Status:  new| Milestone:
   
 Component:  HTTP handling  |   Version:  SVN   
   
Resolution: |  Keywords:  redirect 
httpresponseredirect get_host reverse proxy squid apache
 Stage:  Accepted   | Has_patch:  1 
   
Needs_docs:  0  |   Needs_tests:  0 
   
Needs_better_patch:  0  |  
+---
Comment (by Kellen):

 Patch adds a USE_X_FORWARDED_HOST setting for people who are in (what seem
 to me to be) non-standard virtual hosting configurations where they need
 the HTTP_X_FORWARDED_HOST as the hostname. So the default behavior if the
 patch is applied will be to ignore the header and use HTTP_HOST instead.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

Re: [Django] #6880: django.http.get_host() breaks reverse proxying on apache

[Django]

#6880: django.http.get_host() breaks reverse proxying on apache
+---
  Reporter:  Kellen | Owner:  nobody
   
Status:  new| Milestone:
   
 Component:  HTTP handling  |   Version:  SVN   
   
Resolution: |  Keywords:  redirect 
httpresponseredirect get_host reverse proxy squid apache
 Stage:  Accepted   | Has_patch:  1 
   
Needs_docs:  0  |   Needs_tests:  0 
   
Needs_better_patch:  0  |  
+---
Changes (by Kellen):

  * has_patch:  0 => 1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---