From b4c6748837d769cc90ceb27d6a7f38815cf6dc14 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Sun, 8 Mar 2026 14:53:34 -0700 Subject: [PATCH] apache: Minor improvement to getting the request host - Django's request.get_host() use X_FORWARDED_HOST when appropriate and falls back to HTTP_HOST. In case of FreedomBox due to 'ProxyPreserveHost On' in Apache configuration, both the values are the same. So, it makes no difference. - Also document the need for 'ProxyPreserveHost On' in another validation. Tests: - Log the value of request_host, request.META['HTTP_HOST'], and request.META['X_FORWARDED_HOST'] in DiscoverIDPView:get(). All the values are same when accessing with IP address value not starting with 127.0.0.1. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/apache/views.py | 2 +- plinth/modules/oidc/validators.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/plinth/modules/apache/views.py b/plinth/modules/apache/views.py index 1a65925b9..bc46f9b1b 100644 --- a/plinth/modules/apache/views.py +++ b/plinth/modules/apache/views.py @@ -39,7 +39,7 @@ class DiscoverIDPView(View): return HttpResponseBadRequest(f'Cannot handle "{method}" method') oidc_callback_parts = urlparse(oidc_callback) - request_host = request.META['HTTP_HOST'] + request_host = request.get_host() if request_host != oidc_callback_parts.netloc: return HttpResponseBadRequest( f'Cannot redirect from {request_host} to a different host ' diff --git a/plinth/modules/oidc/validators.py b/plinth/modules/oidc/validators.py index 0003539c4..3ef3900a1 100644 --- a/plinth/modules/oidc/validators.py +++ b/plinth/modules/oidc/validators.py @@ -81,6 +81,8 @@ def _validate_local_domains_and_ips(redirect_uri, request, Scheme is not checked. Changing IP address during OpenID Connect flow is not allowed. """ + # Requires 'ProxyPreserveHost On' in Apache2 configuration for proxying + # requests to FreedomBox service. request_host = request.headers.get('HTTP_HOST') parsed_redirect_uri = urllib.parse.urlparse(redirect_uri)