After creating app in django and ensuring that everything works i tried to serve my app on remote server. The stack over there is Apache with mod-wsgi-py3. After setting up Apache with documentation provided by mod_wsgi i am having problems with mod-wsgi
To make sure that i dont have any problem with my app i checked on standard admin page in Django. The only open domain from that server to access is 'https://app.web.corpnet.pl:15003/app/' so all my uri's use this as a root.
I think that the problem is either in django settings (allowed hosts?) or apache conf so im pasting these:
ALLOWED_HOSTS = ['localhost', 'app.tnweb.corpnet.pl',
'app.tnweb.corpnet.pl:15003', 'app.corpnet.pl', 'corpnet.pl']
Problem is described by django debug as:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
Referer checking failed - https://app.tnweb.corpnet.pl:15003/app/admin/login/?next=/app/admin/ does not match any trusted origin
Try declaring a SECRET_KEY:
'app.config[‘SECRET_KEY’]=‘aSecretAndComplexString’'
Usualy CSRF verification method fails if no secret key is declared.
Related
I added several variations of the domain to CORS_ALLOWED_ORIGINS and CSRF_TRUSTED_ORIGINS, and
ALLOWED_HOSTS. I added django.template.context_processors.csrf to context_processors. I had neither CSRF_COOKIE_SECURE nor SESSION_COOKIE_SECURE set to true (which I'm hoping I can change). I can't think of anything else I could do to get it to work on Django admin, and it only stopped working after I set up session authentication, (which included configuring csrf and session cookies). When I didn't have any authentication for the frontend, Django login worked fine, and even after, like I said, it was working fine on localhost.
I would really appreciate any suggestions on something else I could try to fix this issue.
Update: Now I'm getting this error message Referer checking failed - https://myapp.herokuapp.com/admin/login/?next=/admin/ does not match any trusted origins.
I thought maybe the fact that it was a heroku subdomain was the issue, so I added a domain, and an SSL certificate. The new domain is getting the exact same error.
My CORS_ALLOWED_ORIGINS includes https://myapp.herokuapp.com and https://www.example.com and, because the slash kept being copied from the browser, https://www.example.com/. And even though there's an SSL certificate, I included the http:// version of each address as well.
The error "Referer checking failed - ... does not match any trusted origins" is not related to CORS_ALLOWED_ORIGINS. It is about the CSRF_TRUSTED_ORIGINS setting.
Make sure to include https://myapp.herokuapp.com:
CSRF_TRUSTED_ORIGINS = ["https://myapp.herokuapp.com", "https://www.myapp.herokuapp.com"]
I deployed an web app which django restframework base on Heroku and Azure.
Same app on Heroku works fine.
But when I access to Azure, it causes ERR_TOO_MANY_REDIRECT error.
I googled and found that turn SECURE_SSL_REDIRECT off solved ERR_TOO_MANY_REDIRECT error.
However, it causes 403 CSRF error instead.
I need to find another way to fix ERR_TOO_MANY_REDIRECT or find a way to fix 403 CSRF error.
Can anyone help me to solve this issue?
If your app is on "Azure App Service", the HTTPS connection will be terminated before it reaches your web worker. Your app wil see an incoming HTTP request instead. In this case you need to set SECURE_SSL_REDIRECT = False indeed. If you want to enforce HTTPS (which is a good practice) you can do so in the Azure settings: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
About the CSRF-related error: because Azure translates HTTPS to HTTP, you need to configure Django to allow POST requests from a different scheme (since Django 4.0) by adding this to settings.py:
CSRF_TRUSTED_ORIGINS = ["https://YOUR-DOMAIN.com", "https://www.YOUR-DOMAIN.com"]
If this does not solve your problem, you can temporarily set DEBUG = True in production and try again. On the error page, you will see a "Reason given for failure" that you can post here.
I was trying to implement 'Securing Django Admin login with OTP', however I can't login into the admin panel now. I removed the app from everywhere but still doesn't work. Any solution for this?
[05/Feb/2021 21:39:49] code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')
[05/Feb/2021 21:39:49] You're accessing the development server over HTTPS, but it only supports HTTP.
If you are on development version you cant use https connection on your localhost so just turn your URL to http and error will be disappear.
ex:
https://localhost:8000
or
https://127.0.0.1:8000
just turn it to
http://localhost:8000
or
http://127.0.0.1:8000
also may be at 127.0.0.1:8000
First time attempting to use oauth with python django and django-allauth. I can't seem to make logins happen. I can get to the point where you are asked to authorize your site with battlenet, but when you're redirected to the callback url I just get this:
{'code': 'unknown', 'provider': 'battlenet', 'exception': ProxyError(MaxRetryError("HTTPSConnectionPool(host='us.battle.net', port=443): Max retries exceeded with url: /oauth/token (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden',)))",),)}
I have created my application in dev.battle.net, I've put the client key and the secret key in my django-allauth app, but I get stuck at this point.
Anyone have any experience with this?
I managed to answer my own question.
I'm using pythonanywhere to host this for now and I was using the free service. Seems there's a white list of urls that you can hit if you're a free user and us.battle.net was not on the list. I registered for a month and after a few minutes my oauth calls work fine.
If anyone else happens to be in my situation, here's the list of sites that pythonanywhere can hit for free accounts.
https://www.pythonanywhere.com/whitelist/
What kind of proxy are you running? Nginx + Gunicorn? It's trying to hit '/oauth/token' and failing on that. I've just set up a allauth with Battle.net but I didn't see this along the way.
What does your urls.py and settings.py look like?
You need to have SITE_ID specified in your settings file.
Ensure your reverse proxy is handling https requests.
I am using Django 1.6 with Oauth2 (django-oauth-toolkit) and the site is SSL secure via apache.
When i get a token and using it without SSL - I reach the api and get 200.
If the token is not valid, i get 403, as expected. OK.
when i use the SSL without the Oauth2 - it's also pass OK.
But when i use them together SSL and Oauth I get 403.
Can someone give me a clue what am i missing?
Thanks in advances
Hagay.
If you're getting strange issues with HTTP authorization under Apache/WSGI/Django, but not when running manage.py runserver, you might need this command in your Apache site config:
WSGIPassAuthorization on
If the setting is not switched on, then WSGI "swallows" all authorization headers and doesn't pass them on to your Python code, apparently for security reasons.
See the WSGI module docs for more information.