search

DarrenOfficial / dpaste

The Django project driving dpaste.org
https://dpaste.org
MIT License
532 stars 123 forks source link

disable csrf in dpaste #214

Closed datta90 closed 2 years ago

datta90 commented 2 years ago

i am using dpaste docker image but i once i try to generate any link for my text it is always showing csrf protection issue . can anyone help how to disable this feature

DarrenOfficial commented 2 years ago

In your settings add,

CSRF_COOKIE_SECURE = False
datta90 commented 2 years ago

thanks

Kevin-Mok commented 4 months ago

I added CSRF_COOKIE_SECURE = False to dpaste/apps.py like so, rebuilt and ran the image, but am still getting:

Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.

You can check my instance here.

DarrenOfficial commented 4 months ago

The changes should be done to local.py https://github.com/DarrenOfficial/dpaste/blob/master/dpaste/settings/local.py.example <-

Kevin-Mok commented 4 months ago

I added CSRF_COOKIE_SECURE = False to my local.py, rebuilt and ran the image and am still getting the 403 error. The local.py also has DEBUG = True, and I can see this in my instance when the 403 error occurs because it shows the debug information. So, it took my custom local.py, but the CSRF disabling still doesn't work?

Edit: So, it works without https. I suppose this is intended and the way it works?

DarrenOfficial commented 4 months ago

I've responded to your email 🙂

Edit: So, it works without https. I suppose this is intended and the way it works?

Definitely not

-- From email Could you show me your docker configuration / docker compose file;

Additionally are you using a proxy server (i.e. NGINX, Apache, Trafeik, Caddy, ect...), if so could you send the configuration of that as well; the error might be because of a misconfigured proxy

Kevin-Mok commented 4 months ago

Edit: So, it works without https. I suppose this is intended and the way it works?

What I meant was it would work without https, not that it should be run without. :sweat_smile:

Could you show me your docker configuration / docker compose file;

I didn't touch the original Docker files. But, the command I'm using to run the Docker container is: docker run --rm -p 8001:8000 -e --detach dpaste:csrf.

Additionally are you using a proxy server

I'm using NGINX. In /etc/nginx/sites-available/mnpd.conf: 

server {
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
    proxy_pass http://0.0.0.0:8001;
    proxy_buffering off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP \$remote_addr;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mnpd.khkm.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mnpd.khkm.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mnpd.khkm.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    return 404; # managed by Certbot
}
DarrenOfficial commented 4 months ago

I see, try this reverse proxy config; this is what dpaste use in prod.

location ^~ /
{
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;

    #Persistent connection related configuration - Optional dpaste.org has it enabled.
    #add_header Access-Control-Allow-Origin *;

}