I was trying to implement 'Securing Django Admin login with OTP', however I can't login into the admin panel now. I removed the app from everywhere but still doesn't work. Any solution for this?
[05/Feb/2021 21:39:49] code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')
[05/Feb/2021 21:39:49] You're accessing the development server over HTTPS, but it only supports HTTP.
If you are on development version you cant use https connection on your localhost so just turn your URL to http and error will be disappear.
ex:
https://localhost:8000
or
https://127.0.0.1:8000
just turn it to
http://localhost:8000
or
http://127.0.0.1:8000
also may be at 127.0.0.1:8000
Related
So I created a simple "social media website" where by using API I GET data from a database and I can also POST to create a social media post after I register and log in.
On my localhost it all works well. I can register, login, then write a social media post and it displays on the screen.
However, when I use Heroku, GET API works fine, but after I log in (and I am sure I am logged in as I can log in on admin), I cannot write anything on my website. In my IDE I get: Forbidden: /api/posts/action/
In the network page I can see this:
Request URL: http://localhost:8000/api/posts/action/
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:8000
Referrer Policy: no-referrer-when-downgrade
Any idea where should I look for an error? If there is any code I should send, let me know. Thank you!
Your server's domain in Heroku shouldn't be localhost:8000
You need to use the correct domain/IP address, and remember to put the domain/IP address in ALLOWED_HOSTS in the setting file.
If you don't set up a custom domain, then the default domain should be like:
https://<dyno name>.herokuapps.com
I've developed my own website on Django for a while, and today I started to learn how to deploy it. I added this to my settings.py:
SECURE_SSL_REDIRECT = True,
This caused the development server to stop working properly, with this error message:
[13/Jan/2018 16:56:49] code 400, message Bad request syntax ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03ßà\x84¼+Jnßþn-ñ\x88ý©vAþK\x83¤²êT\x86\x0b.\x8em\x0b:â\x00\x00\x1cÚÚÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03\x87')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
[13/Jan/2018 16:56:49] code 400, message Bad request version ('JJÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
Why has my server stopped working properly?
Note that when I changed the setting back to SECURE_SSL_REDIRECT = False, the problem didn't go away.
You configured your django site to enforce https by setting SECURE_SSL_REDIRECT = True - which is very good idea for a production setup.
If you set the SECURE_SSL_REDIRECT setting to True, SecurityMiddleware will permanently (HTTP 301) redirect all HTTP connections to HTTPS.
For this reason (and also others) you usually have separate settings for development and produciton. There are a few things that nearly always differ.
Read this to get known to some approches on how to deal with it: Django: How to manage development and production settings?
NOTE
If your browser received 301 once from your site - changing the setting back might have no direct effect, as the browser cached the target URL and does not send a request on HTTP. You need to clear or disable your browsers cache in that case.
The browser has cached the http->https redirect from the previous request when it was working with SECURE_SSL_REDIRECT=True.
Turning it off server side will not effect that cached redirect.
You can selectively clear that for your dev server's url/ip (not everything in the browser cache) and get things working by:
Shutdown your Django dev server
Go to http://127.0.0.1:8000 - it will give you a 404
Open up Chrome's dev tools
Click and hold on the "Reload" button
Select: "Empty Cache & Hard Reload"
Restart Django dev server
Hit http://127.0.0.1:8000 again
If you are part of a team, you can use a variable to set the development environment. for e.g. DJANGO_DEV=development
After that you can check, if current environment is a DEV env and set the specific values.
Read more about this approach on this answer
You might try editing your Edit Configuration and run the server on a different port. In pycharm I changed run -> edit_configurations -> host = 127.0.0.1, Port = 8001.
I then reran the Python Interpreter and it launched again in a new browser without the https. You might need to first change the settings options to select SECURE_SSL_REDIRECT = False in your local_settings or settings.
I am trying to login to the admin panel of a Django application via another server (say 123.123.123.123). I have a ssh tunnel open like ssh -L 3000:my.website.com:443 user#123.123.123.123. I can then go to https://localhost:3000/admin/login/ and see the login page for the Django admin of the server running on my.website.com. Whatever credentials I put in, results in a HTTP 403 'CSRF verification failed. Request aborted.` error page.
I do not get this error when going directly to my.website.com/admin/login/. What settings might help to allow login via an SSH tunnel? I have already tried adding 'localhost' to ALLOWED_HOSTS. The CSRF cookies are secure (only available via HTTPS, which I'm always using) and have the HTTPOnly flag set.
Django will see that you're trying to access my.website.com domain and it will send back to you cookie for that domain.
But your browser is actually accessing localhost domain, so cookies for my.website.com won't be valid for it and browser won't send them back to Django server.
One way to fix it is to point my.website.com to 127.0.0.1 using /etc/hosts, change your tunnel port to 443 and connect to my.website.com instead.
Another approach is to set any server in between you and your django server that will rewrite cookies and other paths from one domain to another.
I am using Django 1.6 with Oauth2 (django-oauth-toolkit) and the site is SSL secure via apache.
When i get a token and using it without SSL - I reach the api and get 200.
If the token is not valid, i get 403, as expected. OK.
when i use the SSL without the Oauth2 - it's also pass OK.
But when i use them together SSL and Oauth I get 403.
Can someone give me a clue what am i missing?
Thanks in advances
Hagay.
If you're getting strange issues with HTTP authorization under Apache/WSGI/Django, but not when running manage.py runserver, you might need this command in your Apache site config:
WSGIPassAuthorization on
If the setting is not switched on, then WSGI "swallows" all authorization headers and doesn't pass them on to your Python code, apparently for security reasons.
See the WSGI module docs for more information.
On production, I've been trying to add the djangosecure.middleware.SecurityMiddleware (from http://pypi.python.org/pypi/django-secure)to my settings, but haven't had any luck making it work.
When I run:
./manage.py checksecure
Everything passes perfectly fine. But I'm unable to load the site up. It gives me the following error:
The webpage has resulted in too many redirects. Clearing your cookies for this site or
allowing third-party cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Locally, when I use the production settings I receive a page error with:
Unable to make a secure connection to the server. This may be a problem with the server,
or it may be requiring a client authentication certificate that you don't have.
My terminal then gets filled with strange errors that I can't decipher:
[12/Jan/2013 14:15:25] code 400, message Bad HTTP/0.9 request type
('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]\x97e\xdd\xdc\xa9\xeb\x0e\xfc\xbb\xfa3 ')
[12/Jan/2013 14:15:25] "??P??]?e?ܩ????3 Ʀ?-?:?.E:?o?FH?" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]M\xeeA50\xfc\x15%\xc1\xa4\x02\xec\xf0\x1fO')
[12/Jan/2013 14:15:25] "??P??]M?A50?%????O" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x01P\xf1\xc4]\x8eg\xbey\x155\xafiP5\x85r\xb4|\x8c\x
Any advice?
Infinite-redirects means you have set SECURE_SSL_REDIRECT to True, but in production your site runs behind an SSL-stripping proxy server, so Django can't tell that the request is already in fact SSL, so it continually tries to redirect to SSL. As noted in the linked docs, you need to figure out what header your proxy sets to indicate an externally-SSL request, and set the SECURE_PROXY_SSL_HEADER setting accordingly.
Using the production settings locally will not work because Django's development server does not support SSL. The strange terminal output is your browser trying to make an SSL handshake with a server that doesn't understand SSL.