Commit 262e5434 authored by Vladimir Mencl's avatar Vladimir Mencl Committed by Zenon Mousmoulas

Revise secure URL settings

As per discussion in in #8 (primary mode of deployment is with mod_wsgi):

* Comment out the header setting at Django side and also move it from
  settings.py to local_settings.py (because it's now a customizable item).
* Change the header name to ````X-Forwarded-Protocol: https````
* Change the Apache recommendation to use the header name and take it out of
  the mod_uwsgi snippet - and instead add a new section describing
  mod_proxy_http as an option.
parent e4868581
......@@ -20,6 +20,11 @@ ALLOWED_HOSTS = []
# Make this unique, and don't share it with anybody.
SECRET_KEY = '<put something really random here, eg. %$#%@#$^2312351345#$%3452345@#$%@#$234#@$hhzdavfsdcFDGVFSDGhn>'
# Check for headers indicating the request was received on a secure SSL connection
# Uncomment this if you are running DjNRO behind an HTTP proxy that sets this
# header for SSL connections (and protects it for non-SSL connections).
# SECURE_PROXY_SSL_HEADER = ('X-Forwarded-Protocol', 'https')
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
......
......@@ -210,9 +210,6 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml')
EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
# Check for headers indicating the request was received on a secure SSL connection
SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
# Request session cookies to be marked as secure
SESSION_COOKIE_SECURE = True
......
......@@ -228,6 +228,17 @@ We suggest using Apache and mod_wsgi. Below is an example configuration::
</Location>
</VirtualHost>
Alternatively, it is possible to use Apache with mod_proxy_http to pass the requests to uwsgi. In that case, the ````WSGIScriptAlias```` directive would be replaced with the following:
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://localhost:3031/
ProxyPassReverse / http://localhost:3031/
# tell DjNRO we have forwarded over SSL
RequestHeader set X-Forwarded-Protocol https
*Info*: It is strongly recommended to allow access to `/(admin|overview|alt-login)` *ONLY* from trusted subnets.
Once you are done, restart apache.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment