From 2c10a316d6e293cd02d416e48e809899dce4ad74 Mon Sep 17 00:00:00 2001
From: Vladimir Mencl <vladimir.mencl@reannz.co.nz>
Date: Sat, 30 Jan 2016 09:21:41 +1100
Subject: [PATCH] Use secure URLs when already using SSL

Django constructs redirect URLs as https only if request.is_secure() is true.

And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
if the request header contains a key + value configured as a tuple in
settings.SECURE_PROXY_SSL_HEADER

As some parts might be accessed over plain http and some over https (if Apache
exposes both ports), the easiest is to:

* Use the conventional header:

        X-Forwarded-SSL: on

* Set this header from Apache SSL VirtualHost

* Configure Django to check for this header with:

        SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')

As this is an essential security setting that shouldn't need additional tweaks,
adding the setting to settings.py (and not local_settings.py).

Without this fix, the login form at /admin/ would upon successful login
redirect to plain http, even when accessed over https.
---
 djnro/settings.py            | 2 ++
 docs/installation/install.md | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/djnro/settings.py b/djnro/settings.py
index bbfb640..2f4958e 100644
--- a/djnro/settings.py
+++ b/djnro/settings.py
@@ -210,6 +210,8 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml')
 
 EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
 
+# Check for headers indicating the request was received on a secure SSL connection
+SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
 
 
 TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js'
diff --git a/docs/installation/install.md b/docs/installation/install.md
index 47a745a..e42e004 100644
--- a/docs/installation/install.md
+++ b/docs/installation/install.md
@@ -209,6 +209,9 @@ We suggest using Apache and mod_wsgi. Below is an example configuration::
 		SSLCertificateChainFile	...
 		SSLCertificateKeyFile	...
 
+		# Tell Django the request was forwarded from a secure SSL connection
+		RequestHeader set X-Forwarded-SSL on
+
 		# Shibboleth SP configuration
 		ShibConfig	/etc/shibboleth/shibboleth2.xml
 		Alias		/shibboleth-sp	/usr/share/shibboleth
-- 
GitLab