Issues with force https, proxy and invitations

Felip · June 5, 2020, 10:16pm

My Discourse instance is behind a proxy:

server {
    server_name forum.[...];

    location / {
        proxy_pass http://IP_ADDRESS;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;

    }

    client_max_body_size 10m;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forum.[...]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forum.[...]/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = forum.[...]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name forum.smbcn.org;

    listen 80;
    return 404; # managed by Certbot

}

Which leads to the server Discourse is installed on (standard Docker installation):

server {
        listen 80; listen [::]:80;
        server_name forum.[...];

        client_max_body_size 10m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

When I force HTTPS, invited users cannot proceed to registration. Browser logs show a 403 error (bad CSRF), even though a CSRF token was successfully generated. Invitations work just fine when HTTPS is not forced.

I guess something is wrong with the way I proxy HTTPS requests to HTTP, maybe some missing headers?

Felip · July 11, 2020, 2:22pm

It looks like I’m really missing something. Being unable to force HTTPS implies that the logo cannot be displayed (not so serious for the time being). I’ve just discovered today I also get a CSRF-related error (“forbidden”) when I try to remove a task in Sidekiq. This is what I found in /var/discourse/shared/standalone/log/rails/unicorn.stderr.log:

WARN – : attack prevented by Rack::Protection::HttpOrigin

I feel quite helpless, any help would be greatly appreciated.

hawm · July 11, 2020, 4:06pm

Maybe you just need to the froce https enable on your front proxy, and disable on discourse.

Felip · July 12, 2020, 7:56am

@hawm I think this is my current configuration.

michaeld · July 12, 2020, 8:38am

How are you setting the $scheme variable?

Felip · July 12, 2020, 3:08pm

I don’t, I guess I rely on the default value, is this wrong?

michaeld · July 12, 2020, 4:56pm

If you’re proxying, this can go wrong. In my experience this is the #1 reason for the issues you are describing. Try to set it to “https” instead (maybe just skip the variable, just put “https” there).

Felip · July 13, 2020, 8:13am

@michaeld yes! You nailed it! Thank you so much!

system · August 12, 2020, 8:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Moved site behind proxy, favicon and header not using https anymore Support	11	2119	May 26, 2020
Reverse Proxy Into Discourse Installation	12	56	October 16, 2024
Troubleshooting "BAD CSRF" error on initial site setup? Installation	19	5837	July 18, 2024
HTTPS through Proxy; Discourse still trying to get files using HTTP Installation	22	1084	May 4, 2020
[HELP] Cannot login, error shows "BAD CSRF" Support	31	3919	July 3, 2024

Issues with force https, proxy and invitations

Related Topics