Django Set-Cookie header isn't being proxied

talentlessguy · August 11, 2020, 3:01pm

1. Caddy version (`caddy version`): `v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=`

2. How I run Caddy:

terminal

a. System environment:

Manjaro Linux x64

b. Command:

sudo caddy run

d. My complete Caddyfile or JSON config:

{
  auto_https off
}

(theheaders) {
  header Host {host}
  header X-Forwarded-For {remote_host}
  header X-Forwarded-Proto {scheme}
  header X-Url-Scheme {scheme}
  header X-Forwarded-Host {host}
  header X-Real-IP {remote_host}
  header Referrer-Policy "same-origin"
  header X-XSS-Protection "1; mode=block"
  header Referrer-Policy no-referrer-when-downgrade
}


:80 {

 import theheaders
 encode gzip

  route /api* {
	  reverse_proxy :8000
  }
  route /media* {
	  reverse_proxy :8000
  }
  route /admin* {
	  reverse_proxy :8000
  }
  route /static* {
	  reverse_proxy :8000
  }
  reverse_proxy :3000
}

3. The problem I’m having:

Django API, that is hosted on :8000 port, has a Cookie-Set header that puts a cookie to browser. The problem is, it only works if I directly visit the API, but when I make an AJAX request there’s no any Cookie-... header. Although, headers defined in theheaders are present in the localhost/... (any page that is handled by a (Next.js) app served on :3000):

If I visit the Django API directly, e.g. open it in the browser (http://localhost/api), I get the cookie set properly:

I suspect there’s an issue in that I do proxying wrong. Can I pipe headers from api to the /* somehow?

5. What I already tried:

I tried putting import theheaders to every route, adding header: +Set-Cookie to theheaders config - none of them helped.

6. Links to relevant resources:

Django CSRF token docs

francislavoie · August 11, 2020, 6:37pm

You’re not putting this in the right place. The client doesn’t need to know about X-Forwarded-For and such, those are headers meant for services that are behind proxies.

Anyways, Caddy v2 automatically passes headers back from the proxied backend transparently. Something must be misconfigured on your Django backend such that it doesn’t send the headers on proxied requests.

You can add the debug global option to the top of your Caddyfile to reveal some extra log information about the communication between Caddy and Django:

talentlessguy · August 11, 2020, 9:55pm

thanks for helping!

francislavoie · August 12, 2020, 12:52am

What exactly was the solution? I’m sure future readers would appreciate if you could elaborate what exactly you did to fix it.

talentlessguy · August 12, 2020, 11:16am

the solution was forcing Django to send Set-Cookie header to each request

and it worked

system · September 10, 2020, 3:01pm

This topic was automatically closed after 30 days. New replies are no longer allowed.