I deployed an web app which django restframework base on Heroku and Azure.
Same app on Heroku works fine.
But when I access to Azure, it causes ERR_TOO_MANY_REDIRECT error.
I googled and found that turn SECURE_SSL_REDIRECT off solved ERR_TOO_MANY_REDIRECT error.
However, it causes 403 CSRF error instead.
I need to find another way to fix ERR_TOO_MANY_REDIRECT or find a way to fix 403 CSRF error.
Can anyone help me to solve this issue?
If your app is on "Azure App Service", the HTTPS connection will be terminated before it reaches your web worker. Your app wil see an incoming HTTP request instead. In this case you need to set SECURE_SSL_REDIRECT = False indeed. If you want to enforce HTTPS (which is a good practice) you can do so in the Azure settings: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
About the CSRF-related error: because Azure translates HTTPS to HTTP, you need to configure Django to allow POST requests from a different scheme (since Django 4.0) by adding this to settings.py:
CSRF_TRUSTED_ORIGINS = ["https://YOUR-DOMAIN.com", "https://www.YOUR-DOMAIN.com"]
If this does not solve your problem, you can temporarily set DEBUG = True in production and try again. On the error page, you will see a "Reason given for failure" that you can post here.
Related
I'm runing specfic configuration. I got django runing on apache on address localhost:8001 and react app running on nginx on localhost:8005. Also I use ngingx to route proxy. My biggest problem is when I try to call DRF API by React (calling http://127.0.0.1:8001/api-token-auth/ so I got / at the end of the endpoint for sure) I'm getting POST http://127.0.0.1:8001/api-token-auth/ net::ERR_CONNECTION_REFUSED
Backend is running fine, I can use endpoint from HTTPie or POSTMAN
When I call backend by external domain name in React like 'example.com/api-token-auth/' it's working just fine. How can I solve this?
Adding ALLOWED_HOSTS = ['127.0.0.1'] or ALLOWED_HOSTS = ['*'] may solve your issue of connection refused in your django settings.py file.
https://docs.djangoproject.com/en/3.0/ref/settings/#allowed-hosts
EDIT:
http://' + require("os").hostname() + ':8001/ or
http://' + require("ip").address() + ':8001/'
Try using this while building the localhost ip. People have fixed this issue with this change.
I was looking to run my django and reactjs web application on mobile by connecting it to mac via hotspot, and changing the host to the ipaddress of the mobile. Thus, I changed my localhost to 192.168.43.19 in /etc/hosts/, and thus, my code is easily shared between mobile and mac, and I am able to run the localhost app on my mobile which is connected to mac via hotspot.
The backend is created in django rest framework. The problem is that all the get and post calls to the api created in the backend in django is being converted to options calls, and thus there are no returns, and the code is not working properly. While searching online, it said that the issue is because by default Access-cross-origin-policy is not allowed. To try handling the issue, I added the frontend url in CORS_ORIGIN_WHITELIST in the settings file of the django app, but it didnt work.
The CORS_ORIGIN_WHITELIST value set is the one, where the react code is being run. It is
CORS_ORIGIN_WHITELIST = (
'http://192.168.43.194:3000',
)
It will be really helpful, if someone could recommend me the correct way to handle this?
After creating app in django and ensuring that everything works i tried to serve my app on remote server. The stack over there is Apache with mod-wsgi-py3. After setting up Apache with documentation provided by mod_wsgi i am having problems with mod-wsgi
To make sure that i dont have any problem with my app i checked on standard admin page in Django. The only open domain from that server to access is 'https://app.web.corpnet.pl:15003/app/' so all my uri's use this as a root.
I think that the problem is either in django settings (allowed hosts?) or apache conf so im pasting these:
ALLOWED_HOSTS = ['localhost', 'app.tnweb.corpnet.pl',
'app.tnweb.corpnet.pl:15003', 'app.corpnet.pl', 'corpnet.pl']
Problem is described by django debug as:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
Referer checking failed - https://app.tnweb.corpnet.pl:15003/app/admin/login/?next=/app/admin/ does not match any trusted origin
Try declaring a SECRET_KEY:
'app.config[‘SECRET_KEY’]=‘aSecretAndComplexString’'
Usualy CSRF verification method fails if no secret key is declared.
I am building a simple web app using React.js for the frontend and Django for the server side.
Thus frontend.herokuapp.com and backend.herokuapp.com.
When I attempt to make calls to my API through the react app the cookie that was received from the API is not sent with the requests.
I had expected that I would be able to support this configuration without having to do anything special since all server-side requests would (I thought) be made by the JS client app directly to the backend process with their authentication cookies attached.
In an attempt to find a solution that I thought would work I attempted to set
SESSION_COOKIE_DOMAIN = "herokuapp.com"
Which while less than ideal (as herokuapp.com is a vast domain) in Production would seem to be quite safe as they would then be on api.myapp.com and www.myapp.com.
However, with this value set in settings.py I get an AuthStateMissing when hitting my /oauth/complete/linkedin-oauth2/ endpoint.
Searching google for AuthStateMissing SESSION_COOKIE_DOMAIN yields one solitary result which implies that the issue was reported as a bug in Django social auth and has since been closed without further commentary.
Any light anyone could throw would be very much appreciated.
I ran into the exact same problem while using herokuapp.com.
I even posted a question on SO here.
According to Heroku documentation:
In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com
Heroku blocks cookies from frontend.herokuapp.com and backend.herokuapp.com
You need to add a custom domain to frontend.herokuapp.com and backend.herokuapp.com
The entire answer https://stackoverflow.com/a/54513216/1501643
On production, I've been trying to add the djangosecure.middleware.SecurityMiddleware (from http://pypi.python.org/pypi/django-secure)to my settings, but haven't had any luck making it work.
When I run:
./manage.py checksecure
Everything passes perfectly fine. But I'm unable to load the site up. It gives me the following error:
The webpage has resulted in too many redirects. Clearing your cookies for this site or
allowing third-party cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Locally, when I use the production settings I receive a page error with:
Unable to make a secure connection to the server. This may be a problem with the server,
or it may be requiring a client authentication certificate that you don't have.
My terminal then gets filled with strange errors that I can't decipher:
[12/Jan/2013 14:15:25] code 400, message Bad HTTP/0.9 request type
('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]\x97e\xdd\xdc\xa9\xeb\x0e\xfc\xbb\xfa3 ')
[12/Jan/2013 14:15:25] "??P??]?e?ܩ????3 Ʀ?-?:?.E:?o?FH?" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]M\xeeA50\xfc\x15%\xc1\xa4\x02\xec\xf0\x1fO')
[12/Jan/2013 14:15:25] "??P??]M?A50?%????O" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x01P\xf1\xc4]\x8eg\xbey\x155\xafiP5\x85r\xb4|\x8c\x
Any advice?
Infinite-redirects means you have set SECURE_SSL_REDIRECT to True, but in production your site runs behind an SSL-stripping proxy server, so Django can't tell that the request is already in fact SSL, so it continually tries to redirect to SSL. As noted in the linked docs, you need to figure out what header your proxy sets to indicate an externally-SSL request, and set the SECURE_PROXY_SSL_HEADER setting accordingly.
Using the production settings locally will not work because Django's development server does not support SSL. The strange terminal output is your browser trying to make an SSL handshake with a server that doesn't understand SSL.