使用 HTTPS 应用程序负载均衡器时,Django Fargate Docker 中的 CSRF 错误
[英]CSRF errors in Django Fargate Docker when using HTTPS Application Load Balancer
问题描述
I have implemented a Django web app on AWS Fargate using Docker behind Application Load balancers.
我在应用程序负载均衡器后面使用 Docker 在 AWS Fargate 上实现了 Django web 应用程序。
When I try to log in to the web app I get the following:当我尝试登录 web 应用程序时,我得到以下信息:
Error 403 CSRF verification failed. Request aborted.错误 403 CSRF verification failed. Request aborted. CSRF verification failed. Request aborted.
Environment: I am using Application Load Balancer (ALB) as per the best practices of AWS.环境:我正在按照 AWS 的最佳实践使用 Application Load Balancer (ALB)。 The ALB also has a TLS certificate to properly handle HTTPS when I run multiple instances of the web app.当我运行 web 应用程序的多个实例时,ALB 还具有 TLS 证书以正确处理 HTTPS。
I tried to resolve the issue by forcing stickiness of the ALB targets assuming that the Round-Robin lands the requests on different servers.我试图通过强制 ALB 目标的粘性来解决这个问题,假设循环将请求放在不同的服务器上。 I also reduced the number of docker instances to one (so there is no Round-Robin).我还将 docker 实例的数量减少到一个(因此没有循环)。
None of this made any difference.这些都没有任何区别。
I managed to log in (to get CSRF to work well) was when I connected directly to a docker instance (no Load Balancer) and when I used only HTTP on the Application Load Balancer - disabling redirect to HTTPS.当我直接连接到 docker 实例(无负载均衡器)并且我在应用程序负载均衡器上仅使用 HTTP 时,我设法登录(以使 CSRF 正常工作) - 禁用重定向到 Z0E8433F9A404F16F32B10Z0E8433F9A404F16F32B166。 This leads me to believe that the issue is between the HTTPS part of the load balancer and the Django web app.这让我相信问题出在负载均衡器的 HTTPS 部分和 Django web 应用程序之间。
Disabling HTTPS is not production ready, so I am back at square one.禁用 HTTPS 还没有准备好生产,所以我回到了第一方。 I saw a similar question posted here, without answers: django posts receive CSRF verification failed after switching to load balancer我在这里看到了一个类似的问题,没有答案: django 帖子在切换到负载均衡器后收到 CSRF 验证失败
1 个解决方案
解决方案1
0 已采纳 2020-12-10 07:51:24
After placing a debug on the live system as a temporary measure the underlying issue became clear.在对实时系统进行调试作为临时措施后,潜在的问题变得清晰起来。
Referer checking failed - https://test.domain.tld/path/ does not match any trusted origins.
The solution is through the CSRF_TRUSTED_ORIGINS parameter in Django.解决方法是通过Django中的CSRF_TRUSTED_ORIGINS参数。 A quote from the Django documentation: Django 文档的引用:
CSRF_TRUSTED_ORIGINS
Default: [] (Empty list)
A list of hosts which are trusted origins for unsafe requests (e.g. POST).
For a secure unsafe request, Django’s CSRF protection requires that the request have a Referer header that matches the origin present in the Host header.
This prevents, for example, a POST request from subdomain.example.com from succeeding against api.example.com.
If you need cross-origin unsafe requests over HTTPS, continuing the example, add "subdomain.example.com" to this list.
The setting also supports subdomains, so you could add ".example.com", for example, to allow access from all subdomains of example.com.
A similar discussion and solution can be found in this thread.在此线程中可以找到类似的讨论和解决方案。 CSRF validation does not work on Django using HTTPS CSRF 验证在使用 HTTPS 的 Django 上不起作用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.