CSRF verification fails when using https before reverse proxy, but not after

[DrMaxNix]

When using a reverse proxy, which forwards https requests via http, I get CSRF verification failed. Request aborted. I have allowed hosts set to wildcard (allowed_host1 = *). When I set it explicitly to the domain I'm using, it works.

For some reason, adding SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") to settings.py also fixed the issue. I guess this is because from django's perspective, the request is made via http, but the Origin/Referer headers use a https:// scheme, so they are not the same.

As adding the SECURE_PROXY_SSL_HEADER option by default adds insecurities for people without a reverse proxy, I suggest adding an etebase-server.ini option for it. Also weirdly enough, I didn't have this problem before, with the same reverse proxy setup, but when running without docker. Feel free to suggest what I could possibly have done wrong..

[tasn]

This is exactly it, http and https are not the same address, and so it doesn't treat it the same. You need both/either.

You can also override the host header in the revere proxy to strip the https if you don't want it.

[DrMaxNix]

But what I don't understand is why it worked in my old setup, and also the settings.py should add both http and https as trusted origins: https://github.com/etesync/server/blob/6ac54121048e104437eec861f142e7dc1bebf7eb/etebase_server/settings.py#L167-L168

This part works for specific domains, but not for wildcards..? For wildcards it should generate this list:

["https://*", "http://*"]

According to django docs, this should be fine..?