From 2c10a316d6e293cd02d416e48e809899dce4ad74 Mon Sep 17 00:00:00 2001 From: Vladimir Mencl Date: Sat, 30 Jan 2016 09:21:41 +1100 Subject: [PATCH] Use secure URLs when already using SSL Django constructs redirect URLs as https only if request.is_secure() is true. And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or if the request header contains a key + value configured as a tuple in settings.SECURE_PROXY_SSL_HEADER As some parts might be accessed over plain http and some over https (if Apache exposes both ports), the easiest is to: * Use the conventional header: X-Forwarded-SSL: on * Set this header from Apache SSL VirtualHost * Configure Django to check for this header with: SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on') As this is an essential security setting that shouldn't need additional tweaks, adding the setting to settings.py (and not local_settings.py). Without this fix, the login form at /admin/ would upon successful login redirect to plain http, even when accessed over https. --- djnro/settings.py | 2 ++ docs/installation/install.md | 3 +++ 2 files changed, 5 insertions(+) diff --git a/djnro/settings.py b/djnro/settings.py index bbfb640..2f4958e 100644 --- a/djnro/settings.py +++ b/djnro/settings.py @@ -210,6 +210,8 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml') EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml' +# Check for headers indicating the request was received on a secure SSL connection +SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on') TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js' diff --git a/docs/installation/install.md b/docs/installation/install.md index 47a745a..e42e004 100644 --- a/docs/installation/install.md +++ b/docs/installation/install.md @@ -209,6 +209,9 @@ We suggest using Apache and mod_wsgi. Below is an example configuration:: SSLCertificateChainFile ... SSLCertificateKeyFile ... + # Tell Django the request was forwarded from a secure SSL connection + RequestHeader set X-Forwarded-SSL on + # Shibboleth SP configuration ShibConfig /etc/shibboleth/shibboleth2.xml Alias /shibboleth-sp /usr/share/shibboleth -- GitLab