Django Set-Cookie header isn't being proxied

1. Caddy version (caddy version): v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:


a. System environment:

Manjaro Linux x64

b. Command:

sudo caddy run

d. My complete Caddyfile or JSON config:

  auto_https off

(theheaders) {
  header Host {host}
  header X-Forwarded-For {remote_host}
  header X-Forwarded-Proto {scheme}
  header X-Url-Scheme {scheme}
  header X-Forwarded-Host {host}
  header X-Real-IP {remote_host}
  header Referrer-Policy "same-origin"
  header X-XSS-Protection "1; mode=block"
  header Referrer-Policy no-referrer-when-downgrade

:80 {

 import theheaders
 encode gzip

  route /api* {
	  reverse_proxy :8000
  route /media* {
	  reverse_proxy :8000
  route /admin* {
	  reverse_proxy :8000
  route /static* {
	  reverse_proxy :8000
  reverse_proxy :3000

3. The problem I’m having:

Django API, that is hosted on :8000 port, has a Cookie-Set header that puts a cookie to browser. The problem is, it only works if I directly visit the API, but when I make an AJAX request there’s no any Cookie-... header. Although, headers defined in theheaders are present in the localhost/... (any page that is handled by a (Next.js) app served on :3000):

If I visit the Django API directly, e.g. open it in the browser (http://localhost/api), I get the cookie set properly:

I suspect there’s an issue in that I do proxying wrong. Can I pipe headers from api to the /* somehow?

5. What I already tried:

I tried putting import theheaders to every route, adding header: +Set-Cookie to theheaders config - none of them helped.

6. Links to relevant resources:

You’re not putting this in the right place. The client doesn’t need to know about X-Forwarded-For and such, those are headers meant for services that are behind proxies.

Anyways, Caddy v2 automatically passes headers back from the proxied backend transparently. Something must be misconfigured on your Django backend such that it doesn’t send the headers on proxied requests.

You can add the debug global option to the top of your Caddyfile to reveal some extra log information about the communication between Caddy and Django:

thanks for helping!

What exactly was the solution? I’m sure future readers would appreciate if you could elaborate what exactly you did to fix it.

the solution was forcing Django to send Set-Cookie header to each request

and it worked :smiley:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.