CSRF verification fails when using https before reverse proxy, but not after

[DrMaxNix]

When using a reverse proxy, which forwards https requests via http, I get CSRF verification failed. Request aborted.
I have allowed hosts set to wildcard (allowed_host1 = *). When I set it explicitly to the domain I'm using, it works.

For some reason, adding SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") to settings.py also fixed the issue.
I guess this is because from django's perspective, the request is made via http, but the Origin/Referer headers use a https:// scheme, so they are not the same.

As adding the SECURE_PROXY_SSL_HEADER option by default adds insecurities for people without a reverse proxy, I suggest adding an etebase-server.ini option for it.
Also weirdly enough, I didn't have this problem before, with the same reverse proxy setup, but when running without docker. Feel free to suggest what I could possibly have done wrong..

[tasn]

This is exactly it, http and https are not the same address, and so it doesn't treat it the same. You need both/either.

You can also override the host header in the revere proxy to strip the https if you don't want it.

[DrMaxNix]

But what I don't understand is why it worked in my old setup, and also the settings.py should add both http and https as trusted origins:

server/etebase_server/settings.py

Lines 167 to 168 in 6ac5412

	CSRF_TRUSTED_ORIGINS = ["https://" + y for x, y in config.items("allowed_hosts")] + \
	["http://" + y for x, y in config.items("allowed_hosts")]

This part works for specific domains, but not for wildcards..?
For wildcards it should generate this list:

["https://*", "http://*"]

According to django docs, this should be fine..?