Question

我正在使用AWS和Django Rest Framework开发Web应用程序。（Django：v1.8，DRF：v3）对于POST多部分表单请求，我一直收到django.request: Forbidden (Referer checking failed - no Referer.)。

我正在使用AWS ELB（弹性负载均衡器），NGINX（我的ec2（在autoscailing组中）和Gunicorn。

AWS ELB侦听器设置如下所示（仅限HTTPS）：

elb https only listener setting

NGINX设置如下：

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include         /etc/nginx/mime.types;
    default_type    application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;

    keepalive_timeout   65;
    types_hash_max_size 2048;

    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    upstream my_server {
        server localhost:8000;
    }

    server {

        listen       80;
        server_name  <server name>;
        access_log   /etc/nginx/log/local-wc.access.log;
        error_log    /etc/nginx/log/local-wc.error.log;
        root /usr/share/nginx/html;

        location /api/v1 {
            proxy_pass          http://my_server/api/v1;
            proxy_redirect      off;
            proxy_set_header    Host            $host;
            proxy_set_header    X-Real-IP       $remote_addr;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Protocol $scheme;
        }
    }
}

<server name>是指向elb DNS名称的CNAME。

换句话说，<server name> =＆gt; xxxx-123456789.us-west-2.elb.amazonaws.com（记录）。每个API调用都由https://<server name>/api/v1/*

进行

最后Gunicorn正在经营： gunicorn my_django_app.wsgi:application -w 1 -b 127.0.0.1:8000 -t 300 --max-requests=100

和Django设置是：

ALLOWED_HOSTS = ['*']
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.security.SecurityMiddleware',
)

查看功能如下（具有CSRF豁免权）：

class UserViewSet(CsrfExemptMixin, mixins.CreateModelMixin,
              mixins.ListModelMixin,
              mixins.RetrieveModelMixin,
              mixins.UpdateModelMixin,
              viewsets.GenericViewSet):

    # already tried @csrf_exempt
    def create(self, request, *args, **kwargs):
        self.parser_classes = (FormParser, MultiPartParser, )
        .........

再次出现问题：

当我发送

curl -i -k -X POST -H "Accept: application/json" \
    -F "email=myemail@email.com" \
    -F "profile_img=@profile.jpg" \
    https://<server name>/api/v1/users/

在我的Django日志中：

[WARNING] django.request: Forbidden (Referer checking failed - no Referer.): /api/v1/users/

在HTTP上使用POST或在HTTPS上使用GET方法。

我想知道ELB配置是错误的还是Nginx配置错误的引用... 如果有人帮我解决这个问题，我将不胜感激。

Answer 1

我认为DRF忽略了csrf_exempt装饰器，我不确定CsrfExemptMixin的定义位置。您可以做的最简单的事情是将Referrer: yourhost添加到您的curl标题中。

django.request：Forbidden（Referer check failed - 没有Referer。）

1 个答案: