Confused in CsrfViewMiddleware - _origin_verified is checking ports

Dilrevx · November 14, 2024, 4:31pm

django version 4.2

Hey I am deploying django at localhost:8000, with nginx in front at localhost:8001.
Also, nginx is behind NAT, let’s say, Internet ↔ 172.0.0.2:6000 ↔ localhost:8001

So in browser requests, Host header should be 172.0.0.2:6000; and Origin header should be http://172.0.0.2:6000.

I’ve added 172.0.0.2 to ALLOWED_HOSTS, so I can GET my web pages. But my POST requests are rejected with this exception:
http://172.0.0.2:6000 does not match any trusted origins.

So I check out the docs Settings | Django documentation | Django.
My understanding is that if origin matches host, no CSRF_TRUSTED_ORIGINS needed to be set. Empty is fine.

But in my case a port number is at the end of the string. When the code compares good_origin with request_origin, missing port number cracks this.

I don’t think this is expected, because if port is 80 then nothing is happening.

Debug info, request origin is scheme://xxx:60522, good_origin is scheme://xxx

Dilrevx · November 14, 2024, 5:09pm

wait something went wrong. _origin_verified is correct… It seems to be my browser request causing the problem

Dilrevx · November 14, 2024, 5:31pm

I figure it out. It’s a nginx misconfiguration. I forgot to forward port number in host header.

proxy_set_header Host $http_host would forward entire host header to django, as is.

Topic		Replies	Views
Origin checking failed with SSL (https) Forms & APIs	21	20292	September 29, 2024
CSRF trusted origin with nginx and dynamic IP? Deployment	9	2321	November 20, 2023
Django CSRF_Trusted and Allowed Hosts issues Mystery Errors	10	39283	May 8, 2024
Forbidden(403) Mystery Errors	4	328	January 22, 2025
403 error when running Django 4.0 on localhost Deployment	3	1684	July 7, 2022

Confused in CsrfViewMiddleware - _origin_verified is checking ports

Related topics