mirror of
https://github.com/ansible/awx.git
synced 2026-03-28 22:35:08 -02:30
ad96a92fa7
* Align Orign and Host header * Before this change the Host: header was runserver. Seems to be set by nginx upstream flow. * After this change we explicitly set the Host: header * More about CSRF checks ... CSRF checks that Origin == Host. Think about how the browser works. <browser goes to awx.com> "I'm executing javascript that I downloaded from awx.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header == Origin: header; OK! vs. the malicious case. <hacker injects javascript code into google.com> <browser goes to google.com> "I'm executing javascript that I downloaded from google.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header != Origin: header; NOT OK! * Update awx/settings/development.py --------- Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
51 lines
1.8 KiB
Django/Jinja
51 lines
1.8 KiB
Django/Jinja
location {{ (ingress_path + '/static').replace('//', '/') }} {
|
|
alias /var/lib/awx/public/static/;
|
|
}
|
|
|
|
location {{ (ingress_path + '/locales').replace('//', '/') }} {
|
|
alias /var/lib/awx/public/static/awx/locales;
|
|
}
|
|
|
|
location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
|
|
alias /awx_devel/awx/public/static/favicon.ico;
|
|
}
|
|
|
|
location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}) {
|
|
# Pass request to the upstream alias
|
|
proxy_pass http://daphne;
|
|
# Require http version 1.1 to allow for upgrade requests
|
|
proxy_http_version 1.1;
|
|
# We want proxy_buffering off for proxying to websockets.
|
|
proxy_buffering off;
|
|
# http://en.wikipedia.org/wiki/X-Forwarded-For
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# enable this if you use HTTPS:
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
# pass the Host: header from the client for the sake of redirects
|
|
proxy_set_header Host $http_host;
|
|
# We've set the Host header, so we don't need Nginx to muddle
|
|
# about with redirects
|
|
proxy_redirect off;
|
|
# Depending on the request value, set the Upgrade and
|
|
# connection headers
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
}
|
|
|
|
location {{ ingress_path }} {
|
|
# Add trailing / if missing
|
|
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
|
|
uwsgi_read_timeout 120s;
|
|
uwsgi_pass uwsgi;
|
|
include /etc/nginx/uwsgi_params;
|
|
error_page 502 = @fallback;
|
|
}
|
|
|
|
# Enable scenario where we shutdown uwsgi and launching runserver for debugging purposes
|
|
location @fallback {
|
|
# Add trailing / if missing
|
|
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
|
|
proxy_pass http://runserver;
|
|
proxy_set_header Host $http_host;
|
|
}
|