Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana
Created July 14, 2022 17:40
Show Gist options
  • Save gilangvperdana/0030b8068de5e0851ae348a4042eea19 to your computer and use it in GitHub Desktop.
Save gilangvperdana/0030b8068de5e0851ae348a4042eea19 to your computer and use it in GitHub Desktop.
Reverse Django apps with CSRF Enable on another Domain

Reverse Django Apps with CSRF Enabled and Different Domain

If you want to redirect your Django apps running on local domain (https://public.public.id) will be client access on (https://public.public.domain.id) you can use these technique :

Nginx conf on your first HOP

server {
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name public.public.id;
    ssl_certificate /etc/letsencrypt/live/public.public.id/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/public.public.id/privkey.pem;

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Referer "https://public.public.id";
    proxy_pass https://10.24.11.100;
    proxy_set_header Host public.public.id;
    }
}

Nginx on your second HOP (on VPS)

server {
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.public.public.bignetlab.com public.public.bignetlab.com;
    ssl_certificate /etc/letsencrypt/live/public.public.bignetlab.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/public.public.bignetlab.com/privkey.pem;

location / {
    proxy_set_header Referer "https://10.8.0.24";
    proxy_pass https://10.8.0.24;
    proxy_set_header Host public.public.id;
    proxy_redirect https://public.public.id https://public.public.bignetlab.com;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-NginX-Proxy   true;
    proxy_pass_header       Set-Cookie;
    }
}

Access

Then, you can access https://public.public.id on https://public.public.domain.id with CSRF bypass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment