Commit 2c10a316 authored by Vladimir Mencl's avatar Vladimir Mencl Committed by Zenon Mousmoulas
Browse files

Use secure URLs when already using SSL

Django constructs redirect URLs as https only if request.is_secure() is true.

And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
if the request header contains a key + value configured as a tuple in
settings.SECURE_PROXY_SSL_HEADER

As some parts might be accessed over plain http and some over https (if Apache
exposes both ports), the easiest is to:

* Use the conventional header:

        X-Forwarded-SSL: on

* Set this header from Apache SSL VirtualHost

* Configure Django to check for this header with:

        SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')

As this is an essential security setting that shouldn't need additional tweaks,
adding the setting to settings.py (and not local_settings.py).

Without this fix, the login form at /admin/ would upon successful login
redirect to plain http, even when accessed over https.
parent 5aa551de
......@@ -210,6 +210,8 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml')
EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
# Check for headers indicating the request was received on a secure SSL connection
SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js'
......
......@@ -209,6 +209,9 @@ We suggest using Apache and mod_wsgi. Below is an example configuration::
SSLCertificateChainFile ...
SSLCertificateKeyFile ...
# Tell Django the request was forwarded from a secure SSL connection
RequestHeader set X-Forwarded-SSL on
# Shibboleth SP configuration
ShibConfig /etc/shibboleth/shibboleth2.xml
Alias /shibboleth-sp /usr/share/shibboleth
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment