set HTTP_X_FORWARDED_PROTO in .env

This fixes #2397. The description in .env is whith a warning and a link to the official documentation about what this setting is doing if set to true.
2024-05-03 17:19:17 +00:00 · 2022-11-19 17:54:44 +01:00 · 2022-11-19 17:54:44 +01:00 · 238a1b0e88
parent c5fb710f29
commit 238a1b0e88
2 changed files with 10 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -108,3 +108,10 @@ OTEL_EXPORTER_OTLP_ENDPOINT=
 OTEL_EXPORTER_OTLP_HEADERS=
 # Service name to identify your app
 OTEL_SERVICE_NAME=
+
+# Set HTTP_X_FORWARDED_PROTO ONLY to true if you know what you are doing.
+# Only use it if your proxy is "swalloing" if the original request was made
+# via https. Please refer to the Django-Documentation and assess the risks
+# for your instance:
+# https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header
+HTTP_X_FORWARDED_PROTO=false
--- a/bookwyrm/settings.py
+++ b/bookwyrm/settings.py
@ -364,3 +364,6 @@ OTEL_EXPORTER_OTLP_HEADERS = env("OTEL_EXPORTER_OTLP_HEADERS", None)
 OTEL_SERVICE_NAME = env("OTEL_SERVICE_NAME", None)

 TWO_FACTOR_LOGIN_MAX_SECONDS = 60
+
+if HTTP_X_FORWARDED_PROTO:
+    SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")