Issues with force https, proxy and invitations

Felip · 5 ביוני,‏ 2020,‏ 10:16pm

My Discourse instance is behind a proxy:

server {
    server_name forum.[...];

    location / {
        proxy_pass http://IP_ADDRESS;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;

    }

    client_max_body_size 10m;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forum.[...]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forum.[...]/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = forum.[...]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name forum.smbcn.org;

    listen 80;
    return 404; # managed by Certbot

}

Which leads to the server Discourse is installed on (standard Docker installation):

server {
        listen 80; listen [::]:80;
        server_name forum.[...];

        client_max_body_size 10m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

When I force HTTPS, invited users cannot proceed to registration. Browser logs show a 403 error (bad CSRF), even though a CSRF token was successfully generated. Invitations work just fine when HTTPS is not forced.

I guess something is wrong with the way I proxy HTTPS requests to HTTP, maybe some missing headers?

Felip · 11 ביולי,‏ 2020,‏ 2:22pm

It looks like I’m really missing something. Being unable to force HTTPS implies that the logo cannot be displayed (not so serious for the time being). I’ve just discovered today I also get a CSRF-related error (“forbidden”) when I try to remove a task in Sidekiq. This is what I found in /var/discourse/shared/standalone/log/rails/unicorn.stderr.log:

WARN – : attack prevented by Rack::Protection::HttpOrigin

I feel quite helpless, any help would be greatly appreciated.

hawm · 11 ביולי,‏ 2020,‏ 4:06pm

Maybe you just need to the froce https enable on your front proxy, and disable on discourse.

Felip · 12 ביולי,‏ 2020,‏ 7:56am

@hawm I think this is my current configuration.

michaeld · 12 ביולי,‏ 2020,‏ 8:38am

How are you setting the $scheme variable?

Felip · 12 ביולי,‏ 2020,‏ 3:08pm

I don’t, I guess I rely on the default value, is this wrong?

michaeld · 12 ביולי,‏ 2020,‏ 4:56pm

If you’re proxying, this can go wrong. In my experience this is the #1 reason for the issues you are describing. Try to set it to “https” instead (maybe just skip the variable, just put “https” there).

Felip · 13 ביולי,‏ 2020,‏ 8:13am

@michaeld yes! You nailed it! Thank you so much!

system · 12 באוגוסט,‏ 2020,‏ 8:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

נושא		תגובות	צפיות
Moved site behind proxy, favicon and header not using https anymore Support	11	2218	26 במאי,‏ 2020
403 Error when changing any settings after enabling force_https with proxy Support	5	893	30 בנובמבר,‏ 2019
SSL problem with SSL proxy Installation	6	721	13 ביולי,‏ 2022
DiscourseConnect generates HTTP redirects even with force_https on Installation discourseconnect	4	278	27 במאי,‏ 2024
HTTPS through Proxy; Discourse still trying to get files using HTTP Installation	22	1198	4 במאי,‏ 2020

Issues with force https, proxy and invitations

נושאים קשורים