Commit 2c10a316 authored by Vladimir Mencl's avatar Vladimir Mencl Committed by Zenon Mousmoulas

Use secure URLs when already using SSL

Django constructs redirect URLs as https only if request.is_secure() is true.

And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
if the request header contains a key + value configured as a tuple in
settings.SECURE_PROXY_SSL_HEADER

As some parts might be accessed over plain http and some over https (if Apache
exposes both ports), the easiest is to:

* Use the conventional header:

        X-Forwarded-SSL: on

* Set this header from Apache SSL VirtualHost

* Configure Django to check for this header with:

        SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')

As this is an essential security setting that shouldn't need additional tweaks,
adding the setting to settings.py (and not local_settings.py).

Without this fix, the login form at /admin/ would upon successful login
redirect to plain http, even when accessed over https.
parent 5aa551de
......@@ -210,6 +210,8 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml')
EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
# Check for headers indicating the request was received on a secure SSL connection
SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js'
......
......@@ -209,6 +209,9 @@ We suggest using Apache and mod_wsgi. Below is an example configuration::
SSLCertificateChainFile ...
SSLCertificateKeyFile ...
# Tell Django the request was forwarded from a secure SSL connection
RequestHeader set X-Forwarded-SSL on
# Shibboleth SP configuration
ShibConfig /etc/shibboleth/shibboleth2.xml
Alias /shibboleth-sp /usr/share/shibboleth
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment