How to disable Django's CSRF protection behind a proxy_问答_开发者

How to disable Django's CSRF protection behind a proxy

开发者 https://www.devze.com 2023-02-07 02:26 出处：网络

I need to run a Django system (let\'s call it Alfred) behind a Proxy. Both are on the same network. As Proxy I use yuri vandermeer\'s django-httpproxy. (see his page yvandermeer.net)

I need to run a Django system (let's call it Alfred) behind a Proxy. Both are on the same network. As Proxy I use yuri vandermeer's django-httpproxy. (see his page yvandermeer.net)

Both Systems running Django version 1.2.4

Both systems are in the same (closed) network and also on the same IP. I have the proxy running on port 8000 and Alfred on port 1337. I need to log on to Alfred using his /admin site, that comes by default with Django (and which i have enabled). This is working via port 1337, bu开发者_如何学Pythont I need to access it via port 8000.

When I try it, Alfred is throwing an 403 CSRF Error and telling me that i'm acutally something like a man-in-the-middle (- and Alfred is completely right when its saying so).

I tried several things to disable Alfreds CSRF protection:

I commented out the CsrfViewMiddleware in the settings.py in MIDDLEWARE_CLASSES
I created a disable.py and added its disableCSRF class to the MIDDLEWARE CLASSES (actually I tried each[!] position) like mentioned on this site (questions/1785772 )
```
#disable.py
class DisableCSRF(object):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)
```
I created a disable.py and added its disableCSRF class to the MIDDLEWARE CLASSES (again I tried each position) like mentioned in this other post here: http://hi.baidu.com/ledzep2/blog/item/e6b1612e21884c5c4ec2267a.html
```
#disable.py
class DisableCSRF(object):
    def process_view(self, request, callback, callback_args, callback_kwargs):
        setattr(request, '_dont_enforce_csrf_checks', True)
```
I tried to comment out the Csfr protection mechanism in django/middleware/csrf.py but i found the relevant part around line 190 not around line 160 like mentioned on this site: questions/1650941/

None of the things mentioned worked. I always get a 403 Error when I try to log on via /admin

How can i disable the CSRF protection on Alfred? Is it possible to just disable it for /admin ? I'd prefer if I could do this by a middleware like mentioned in 2. and 3. and not by commenting something out in the source like in 4. If there is a middleware-way that would be great.

thanks in advance! :)

You can use the @csrf_exempt decorator on the view functions to disable csrf for that view.
See the documentation

The fault was all on my side. By checking the server logs I realized that not Alfred was throwing the error but the Proxy (django-httpproxy). Probably, because both servers are running on localhost, and I'm sending my requests from localhost as well. I disabled CSRF for both, Proxy and Alfred. With this setup i don't get any 403 Errors anymore.

Unfortunately, the django-httpproxy looses cookies, so I can't log in because of that.

Lesson learned: don't use django-httpproxy as reverse proxy.