• Vladimir Mencl's avatar
    Use secure URLs when already using SSL · 2c10a316
    Vladimir Mencl authored
    Django constructs redirect URLs as https only if request.is_secure() is true.
    
    And that evaluates to true if either uwsgi sets wsgi.url_scheme to https, or
    if the request header contains a key + value configured as a tuple in
    settings.SECURE_PROXY_SSL_HEADER
    
    As some parts might be accessed over plain http and some over https (if Apache
    exposes both ports), the easiest is to:
    
    * Use the conventional header:
    
            X-Forwarded-SSL: on
    
    * Set this header from Apache SSL VirtualHost
    
    * Configure Django to check for this header with:
    
            SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')
    
    As this is an essential security setting that shouldn't need additional tweaks,
    adding the setting to settings.py (and not local_settings.py).
    
    Without this fix, the login form at /admin/ would upon successful login
    redirect to plain http, even when accessed over https.
    2c10a316
Name
Last commit
Last update
accounts Loading commit data...
djangobackends Loading commit data...
djnro Loading commit data...
docs Loading commit data...
edumanage Loading commit data...
extras Loading commit data...
front Loading commit data...
initial_data Loading commit data...
locale Loading commit data...
static Loading commit data...
utils Loading commit data...
.gitignore Loading commit data...
COPYING Loading commit data...
Changelog Loading commit data...
Makefile Loading commit data...
README.md Loading commit data...
__init__.py Loading commit data...
_version.py Loading commit data...
manage.py Loading commit data...
mkdocs.yml Loading commit data...
requirements.txt Loading commit data...
upgrade-from-0.8-notes.txt Loading commit data...