Commit 2c10a316 authored by Committed by Zenon Mousmoulas
Use secure URLs when already using SSL
Django constructs redirect URLs as https only if request.is_secure() is true. And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or if the request header contains a key + value configured as a tuple in settings.SECURE_PROXY_SSL_HEADER As some parts might be accessed over plain http and some over https (if Apache exposes both ports), the easiest is to: * Use the conventional header: X-Forwarded-SSL: on * Set this header from Apache SSL VirtualHost * Configure Django to check for this header with: SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on') As this is an essential security setting that shouldn't need additional tweaks, adding the setting to settings.py (and not local_settings.py). Without this fix, the login form at /admin/ would upon successful login redirect to plain http, even when accessed over https.
Showing with 5 additions and 0 deletions