Skip to content

request.is_secure() is always False using the default nginx deploy

With the current nginx setup, Django has no way of knowing it's been called as https, and believe it's always responding to http. This caused trouble when I was using request.build_absolute_uri to generate callback URLs for OAuth.

The solution I found (and tested) is twofold:

  1. We need to tell nginx to pass the X-Forwarded-Proto header to Django:
# /etc/nginx/snippets/debusine.conf
location / {

        proxy_set_header X-Forwarded-Proto $scheme;
}
  1. We need to tell Django to use that header:
# /etc/debusine/server/local.py
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

If this makes sense, it should probably go in the default nginx configuration and in the setup guide. I'd like to set SECURE_PROXY_SSL_HEADER in the default settings, but I'm not sure if it becomes a security risk when deployed behind a server that isn't explicitly setting/overwriting it

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information