Issues with force https, proxy and invitations

Felip · June 5, 2020, 10:16pm

My Discourse instance is behind a proxy:

server {
    server_name forum.[...];

    location / {
        proxy_pass http://IP_ADDRESS;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;

    }

    client_max_body_size 10m;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forum.[...]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forum.[...]/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = forum.[...]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name forum.smbcn.org;

    listen 80;
    return 404; # managed by Certbot

}

Which leads to the server Discourse is installed on (standard Docker installation):

server {
        listen 80; listen [::]:80;
        server_name forum.[...];

        client_max_body_size 10m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

When I force HTTPS, invited users cannot proceed to registration. Browser logs show a 403 error (bad CSRF), even though a CSRF token was successfully generated. Invitations work just fine when HTTPS is not forced.

I guess something is wrong with the way I proxy HTTPS requests to HTTP, maybe some missing headers?

Felip · July 11, 2020, 2:22pm

It looks like I’m really missing something. Being unable to force HTTPS implies that the logo cannot be displayed (not so serious for the time being). I’ve just discovered today I also get a CSRF-related error (“forbidden”) when I try to remove a task in Sidekiq. This is what I found in /var/discourse/shared/standalone/log/rails/unicorn.stderr.log:

WARN – : attack prevented by Rack::Protection::HttpOrigin

I feel quite helpless, any help would be greatly appreciated.

hawm · July 11, 2020, 4:06pm

Maybe you just need to the froce https enable on your front proxy, and disable on discourse.

Felip · July 12, 2020, 7:56am

@hawm I think this is my current configuration.

michaeld · July 12, 2020, 8:38am

How are you setting the $scheme variable?

Felip · July 12, 2020, 3:08pm

I don’t, I guess I rely on the default value, is this wrong?

michaeld · July 12, 2020, 4:56pm

If you’re proxying, this can go wrong. In my experience this is the #1 reason for the issues you are describing. Try to set it to “https” instead (maybe just skip the variable, just put “https” there).

Felip · July 13, 2020, 8:13am

@michaeld yes! You nailed it! Thank you so much!

system · August 12, 2020, 8:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Moved site behind proxy, favicon and header not using https anymore support	11	1969	May 26, 2020
Troubleshooting "BAD CSRF" error on initial site setup? support	18	5467	April 30, 2021
HTTPS through Proxy; Discourse still trying to get files using HTTP installation	22	920	May 4, 2020
Avatar, Site Logos, and Cert Errors installation unsupported-install	61	3384	May 25, 2020
X-Forwarded-For proxy tag not recognized by Discourse? installation	11	2674	April 10, 2020

Issues with force https, proxy and invitations

Related Topics