Nginx, SSL, Django, CSRF verification failed (custom port) - django

I am working on a project using Django, nginx and Gunicorn. Everything is good except for POST requests. Django raise a CSRF error.
I dont know what is missing or wrong in my django and/or nginx conf.
Edit: I found out what was wrong. Because of my exotic SSL port.
I replaced this line in the 'location /' block:
proxy_set_header Host $host;
by:
proxy_set_header Host localhost:8443;
Django error:
Forbidden (403):
CSRF verification failed. Request aborted.
Reason given for failure:
Referer checking failed - https://localhost:8443/accounts/login/ does not match https://localhost/
Here is my nginx conf:
server {
listen 8880;
server_name localhost:8443;
rewrite ^ https://$server_name$request_uri? permanent;
}
#Gunicorn
upstream project {
server localhost:8888;
}
# HTTPS server
server {
listen 8443 ssl default_server;
ssl on;
server_name localhost;
ssl_certificate /path/file.crt;
ssl_certificate_key /path/file.key;
#Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
proxy_pass http://localhost:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8443;
proxy_set_header Host $host; #Replaced by proxy_set_header Host localhost:8443;
}
}
and in my settings.py:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True


Try add in your location / this: proxy_pass_header X-CSRFToken;

Related

(Nginx+Daphne+Django) Error during WebSocket handshake: Unexpected response code: 404

I have an Django(3.0) app using Daphne as an app container and Nginx as proxy server.
Daphne -u /home/ubuntu/virtualenvs/src/app/app.sock app.asgi:application
My problem is that the websocket connection failed.
(index):16 WebSocket connection to 'ws://example.com/ws/chat/1/' failed: Error during WebSocket handshake: Unexpected response code: 404
I'm pretty sure that my app setting and route is just fine.
Because if I stop Nginx, bind Daphne to 0.0.0.0:8000 and use real IP("ws://xx.xx.xx.xx:8000/ws/chat/1") as URL, the websocket connection established and very stable.
How should I modify my Nginx to make websocket work?
#my nginx setting
upstream websocket {
server unix:/home/ubuntu/virtualenvs/src/app/app.sock;
}
#websocket settings
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80 default_server;
listen 443 SSL default_server;
listen [::]:443 SSL default_server;
server_name example.com;
return 301 https://example.com$request_uri;
ssl on;
# certificate settings
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 10m;
#ssl_session cache shared:SSL:1m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
#ssl_prefer_server_ciphers on;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!$
location / {
root /home/ubuntu/virtualenvs/
include proxy_params;
proxy_pass https://websocket;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~* \.(js|css)$ {
expires -1;
}
}

How to setup Nginx server for angular and django

I'm trying to deploy a web application to my server. I have put the html files in one folder and I have a django server running on the same server. I am using nginx to set up reverse proxy for the backend but for some reason I'm not able to route to backend urls.
Here is my nginx configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://example.com$request_uri;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name example.com example.com;
root /var/www/html/;
index index.html;
# Let's Encrypt parameters
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
try_files $uri $uri/ = index.html;
}
location /api {
proxy_pass http://unix:/run/gunicorn.sock;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
In the first block..I'm setting fallbacks to index.html because it is an angular app.
The angular app runs fine.
But I'm not able to access the routes of the reverse proxy server, whenever I hit a route with /api/something it takes me back to the angular app i.e index.html

It was very simple, I had to modify the path block like this
location ~^/(admin|api) {
proxy_pass http://unix:/run/gunicorn.sock;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}

SSL certificate error on Nginx load balancer on WSO2 API cluster

I configured API cluster with Nginx Load Balancer by manuals :
https://docs.wso2.com/display/AM250/Configuring+the+Proxy+Server+and+the+Load+Balancer
https://docs.wso2.com/display/CLUSTER44x/Setting+up+a+Cluster
I tried to use a self-signed certficate or commercial cert for LB, but when i open LB web-page on 443 port i have the same errors in logs:
SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream.
What is the problem?
Nginx config:
upstream server1 {
server x.x.x.x:9443;
}
upstream server2 {
server x.x.x.x:8243;
}
server {
listen 80;
server_name server1.com;
rewrite ^/(.*) https://server1.com/$1 permanent;
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}}

Insecure Login Blocked

I am working on a site (which the name is https://tutumluannev2test.derinpos.com/). I've been trying to add facebook login. At localhost no problem but at staging, I always get this error message:
Insecure Login Blocked: You can’t get an access token or log in to this app from an insecure page. Try reloading the page as https://
it's a ASP.NET Core 2.1 project.
served by nginx from ubuntu 16.04
Valid OAuth Redirect URIs: https://tutumluannev2test.derinpos.com/signin-facebook
https://www.facebook.com/v2.12/dialog/oauth?client_id=201510504064809&scope=public_profile%2Cemail&response_type=code&redirect_uri=http%3A%2F%2Ftutumluannev2test.derinpos.com%2Fsignin-facebook&state=...
nginx.conf:
server {
listen 80
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name tutumluannev2test.derinpos.com;
location / {
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://localhost:5003;
proxy_http_version 1.1;
}
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/letsencrypt/live/tutumluannev2test.derinpos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tutumluannev2test.derinpos.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
Can anybody help me?
Thanks in advance

Serving sites on multiple ports with nginx

Looking for this solution for a while now and think I'm pretty close, however...
So I have 5 different VMs running webpages on different ports. For brevity sake lets say 8080 to 8484. I want to have them all listen on 127.0.0.1 and their respective port. I also want nginx to serve as an https and password protected front to a landing page that will redirect the users to these internal sites.
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/home.crt;
ssl_certificate_key /etc/nginx/ssl/home.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location /server1 {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location /server2 {
proxy_pass http://127.0.0.1:8181;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
....
So this will prompt me for the user, pass and redirect to the appropriate page being hosted on that port, but I get an error saying disallowed host at /server1 for an invalid HTTP_HOST header as \127.0.0.1 is not valid.
Is this even possible to do? The servers are running various frameworks, Django, Apache, Tomcat...

server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/home.crt;
ssl_certificate_key /etc/nginx/ssl/home.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location /server1/ {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /server2/ {
proxy_pass http://127.0.0.1:8181/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}