• Vladimir Mencl's avatar
    Use secure URLs when already using SSL · 2c10a316
    Vladimir Mencl authored
    Django constructs redirect URLs as https only if request.is_secure() is true.
    
    And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
    if the request header contains a key + value configured as a tuple in
    settings.SECURE_PROXY_SSL_HEADER
    
    As some parts might be accessed over plain http and some over https (if Apache
    exposes both ports), the easiest is to:
    
    * Use the conventional header:
    
            X-Forwarded-SSL: on
    
    * Set this header from Apache SSL VirtualHost
    
    * Configure Django to check for this header with:
    
            SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
    
    As this is an essential security setting that shouldn't need additional tweaks,
    adding the setting to settings.py (and not local_settings.py).
    
    Without this fix, the login form at /admin/ would upon successful login
    redirect to plain http, even when accessed over https.
    2c10a316
install.md 14 KB