I am using Django 1.6 with Oauth2 (django-oauth-toolkit) and the site is SSL secure via apache.
When i get a token and using it without SSL - I reach the api and get 200.
If the token is not valid, i get 403, as expected. OK.
when i use the SSL without the Oauth2 - it's also pass OK.
But when i use them together SSL and Oauth I get 403.
Can someone give me a clue what am i missing?
Thanks in advances
Hagay.
If you're getting strange issues with HTTP authorization under Apache/WSGI/Django, but not when running manage.py runserver, you might need this command in your Apache site config:
WSGIPassAuthorization on
If the setting is not switched on, then WSGI "swallows" all authorization headers and doesn't pass them on to your Python code, apparently for security reasons.
See the WSGI module docs for more information.
Related
I deployed an web app which django restframework base on Heroku and Azure.
Same app on Heroku works fine.
But when I access to Azure, it causes ERR_TOO_MANY_REDIRECT error.
I googled and found that turn SECURE_SSL_REDIRECT off solved ERR_TOO_MANY_REDIRECT error.
However, it causes 403 CSRF error instead.
I need to find another way to fix ERR_TOO_MANY_REDIRECT or find a way to fix 403 CSRF error.
Can anyone help me to solve this issue?
If your app is on "Azure App Service", the HTTPS connection will be terminated before it reaches your web worker. Your app wil see an incoming HTTP request instead. In this case you need to set SECURE_SSL_REDIRECT = False indeed. If you want to enforce HTTPS (which is a good practice) you can do so in the Azure settings: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
About the CSRF-related error: because Azure translates HTTPS to HTTP, you need to configure Django to allow POST requests from a different scheme (since Django 4.0) by adding this to settings.py:
CSRF_TRUSTED_ORIGINS = ["https://YOUR-DOMAIN.com", "https://www.YOUR-DOMAIN.com"]
If this does not solve your problem, you can temporarily set DEBUG = True in production and try again. On the error page, you will see a "Reason given for failure" that you can post here.
I was trying to implement 'Securing Django Admin login with OTP', however I can't login into the admin panel now. I removed the app from everywhere but still doesn't work. Any solution for this?
[05/Feb/2021 21:39:49] code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')
[05/Feb/2021 21:39:49] You're accessing the development server over HTTPS, but it only supports HTTP.
If you are on development version you cant use https connection on your localhost so just turn your URL to http and error will be disappear.
ex:
https://localhost:8000
or
https://127.0.0.1:8000
just turn it to
http://localhost:8000
or
http://127.0.0.1:8000
also may be at 127.0.0.1:8000
After creating app in django and ensuring that everything works i tried to serve my app on remote server. The stack over there is Apache with mod-wsgi-py3. After setting up Apache with documentation provided by mod_wsgi i am having problems with mod-wsgi
To make sure that i dont have any problem with my app i checked on standard admin page in Django. The only open domain from that server to access is 'https://app.web.corpnet.pl:15003/app/' so all my uri's use this as a root.
I think that the problem is either in django settings (allowed hosts?) or apache conf so im pasting these:
ALLOWED_HOSTS = ['localhost', 'app.tnweb.corpnet.pl',
'app.tnweb.corpnet.pl:15003', 'app.corpnet.pl', 'corpnet.pl']
Problem is described by django debug as:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
Referer checking failed - https://app.tnweb.corpnet.pl:15003/app/admin/login/?next=/app/admin/ does not match any trusted origin
Try declaring a SECRET_KEY:
'app.config[‘SECRET_KEY’]=‘aSecretAndComplexString’'
Usualy CSRF verification method fails if no secret key is declared.
I am trying to log into my WSO2 management console. It is containerized and hosted in an AWS EC2 instance. I can navigate to the console login page, but when I try to login I get a 403 Forbidden message.
Navigation to login page is okay
Forbidden error
I know that the cause of this issue is that my login page is not posting the X-CSRF-Token.
Example of the form data posted in my "bad" request:
The console of my WSO2 instance prints an error like this:
WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:IP_ADDRESS, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Example of the form data posted in a "good" request in a local WSO2 instance:
What I have tried:
I have tried turning compression "off" as suggested by this post: wso2 api manger carbon page gives 403 Forbidden
I am not using JDK 1.8.0_151 which is labeled as a version with a bug.
I am able to circumvent the issue if I disable the csrfguard in Owasp.CsrfGuard.Carbon.properties but this is a security risk.
I have sticky sessions enabled
Any ideas on why the posting to the login_action.jsp page would return a 403?
EDIT
I failed to mention in the post that I am using TLS termination with an AWS load balancer. I am almost certain that my issue has something to do with that. This line from my console output details what my error is:
Referer domain https:LOAD_BALANCER_URL/carbon/admin/login.jsp does not match request domain: http://LOAD_BALANCER_URL/carbon/admin/js/csrfPrevention.js
You can see that the referer is using https but the request is using http. I believe that I want the request domain to be https, but I'm not sure how to do that. I think that the first page is making a call to login.jsp with https and the login.jsp page is making a call to the csrfPrevention.js page but changing the protocol to http.
Please refer the OS and JDK incompatibilities matrix and make sure you are not using one of these OS JDK pairs.
Do you have a load balancer fronting your Identity Server? If so, please verify that you have enabled sticky sessions in your LB. You can find sample NGINX the configurations in the guide - docs.wso2.com/display/CLUSTER44x/Configuring+NGINX
Lower the version of java JDK to 1.8.0_144.If it's not worked go to this location
wso2Servers/wso2is-5.5.0/repository/conf/security .
There is a file name Owasp.CsrfGuard.Carbon.properties.
In that file, there is a line
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
set this to
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
This worked for me.
On production, I've been trying to add the djangosecure.middleware.SecurityMiddleware (from http://pypi.python.org/pypi/django-secure)to my settings, but haven't had any luck making it work.
When I run:
./manage.py checksecure
Everything passes perfectly fine. But I'm unable to load the site up. It gives me the following error:
The webpage has resulted in too many redirects. Clearing your cookies for this site or
allowing third-party cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Locally, when I use the production settings I receive a page error with:
Unable to make a secure connection to the server. This may be a problem with the server,
or it may be requiring a client authentication certificate that you don't have.
My terminal then gets filled with strange errors that I can't decipher:
[12/Jan/2013 14:15:25] code 400, message Bad HTTP/0.9 request type
('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]\x97e\xdd\xdc\xa9\xeb\x0e\xfc\xbb\xfa3 ')
[12/Jan/2013 14:15:25] "??P??]?e?ܩ????3 Ʀ?-?:?.E:?o?FH?" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]M\xeeA50\xfc\x15%\xc1\xa4\x02\xec\xf0\x1fO')
[12/Jan/2013 14:15:25] "??P??]M?A50?%????O" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x01P\xf1\xc4]\x8eg\xbey\x155\xafiP5\x85r\xb4|\x8c\x
Any advice?
Infinite-redirects means you have set SECURE_SSL_REDIRECT to True, but in production your site runs behind an SSL-stripping proxy server, so Django can't tell that the request is already in fact SSL, so it continually tries to redirect to SSL. As noted in the linked docs, you need to figure out what header your proxy sets to indicate an externally-SSL request, and set the SECURE_PROXY_SSL_HEADER setting accordingly.
Using the production settings locally will not work because Django's development server does not support SSL. The strange terminal output is your browser trying to make an SSL handshake with a server that doesn't understand SSL.