Issues with force https, proxy and invitations

My Discourse instance is behind a proxy:

server {
    server_name forum.[...];

    location / {
        proxy_pass http://IP_ADDRESS;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;

    }

    client_max_body_size 10m;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forum.[...]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forum.[...]/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = forum.[...]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name forum.smbcn.org;

    listen 80;
    return 404; # managed by Certbot

}

Which leads to the server Discourse is installed on (standard Docker installation):

server {
        listen 80; listen [::]:80;
        server_name forum.[...];

        client_max_body_size 10m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

When I force HTTPS, invited users cannot proceed to registration. Browser logs show a 403 error (bad CSRF), even though a CSRF token was successfully generated. Invitations work just fine when HTTPS is not forced.

I guess something is wrong with the way I proxy HTTPS requests to HTTP, maybe some missing headers?

1 Like

It looks like I’m really missing something. Being unable to force HTTPS implies that the logo cannot be displayed (not so serious for the time being). I’ve just discovered today I also get a CSRF-related error (“forbidden”) when I try to remove a task in Sidekiq. This is what I found in /var/discourse/shared/standalone/log/rails/unicorn.stderr.log:

WARN – : attack prevented by Rack::Protection::HttpOrigin

I feel quite helpless, any help would be greatly appreciated.

1 Like

Maybe you just need to the froce https enable on your front proxy, and disable on discourse.

@hawm I think this is my current configuration.

How are you setting the $scheme variable?

3 Likes

I don’t, I guess I rely on the default value, is this wrong?

If you’re proxying, this can go wrong. In my experience this is the #1 reason for the issues you are describing. Try to set it to “https” instead (maybe just skip the variable, just put “https” there).

2 Likes

@michaeld yes! You nailed it! Thank you so much!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.