I have already set up the HTTPS/SSL for my site on Amazon EC2. I checked it on several different SSL checker sites online, and I think it is set up properly. I'm using Django web framework, so do I need to follow anything in this spec to make sure I didn't miss anything?
https://docs.djangoproject.com/en/1.6/topics/security/#ssl-https
Django 1.7 and later have a bit better security and patch most of the possible X-Frames related exploits.
However I personally like to set the security in my NGINX config. A great guide for that is https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
And for SSL security in general, I recommend https://ssllabs.com
Related
So far, the only websites I've put in a hosted domain were with PHP. But since I work with Django I wonder if there would be any "barrier" or trouble when it comes about hosting a project, since Linux and IOS have Python installed by default but Windows not. Also it would be necessary to install tools such as Django itself, pillow, mysqlclient, etc...
I just want to know any possible barrier before going ahead. Thanks!
Everything depends on the server, if you have the necessary permissions to install and configure everything, you will not have any problem. How can be gunicorn, supervisor, nginx, etc.
For example services that you will not have any problem can be Amazon EC2, digitalocean, or any similar provider.
When I started with Django about 4 years ago I didn't know anything about servers, nginx and very little about databases but I found Djangoeurope on which I put my first websites.
They have managed databases (PostgreSQL and MySQL), one-click Django installs, reasonable prices and a very helpful staff.
I've since transitioned to using Docker on GCP, but for a beginner I can't recommend them enough: you can just concentrate on your Django code and you don't have to learn everything else at the same time.
I built a simple page with Django from this tutorial https://wsvincent.com/django-image-uploads/.
How do I enable https on it so that the uploaded posts can not be seen in the clear on the network?
I currently not running apache, tomcat or Nginx but can if that is the only way.
I read the SSL/HTTPS of the Django documentation https://docs.djangoproject.com/en/2.1/topics/security/#ssl-https on Django security but is that something I configure within the Django framework or are those settings for a web server like Apache.
Thank you.
Have you used or heard of CloudFlare? (for speed but also a free enabling of HTTPS)
Link: https://www.cloudflare.com/lp/overview-x/?_bt=308976257739&_bk=cloudflare&_bm=e&_bn=g&_bg=58800278543&_displaycampaign=&gclid=EAIaIQobChMIhtfCr7CJ4gIVzbHtCh38jwvKEAAYASAAEgKnOPD_BwE
You simply enter the URL of your website (if it is all set up) and then enable HTTPS. Read their terms and conditions of course, but it is fantastic.
I'm sorry for being dumb, but I am really stuck for few days. This is my first time using AWS. I have successfully installed LAMP web server under t1.micro on my customer's AWS account http://54.72.132.215/ following this tutorial . But I don't know what to do next after the installation. My goal is:
Setup a Domain
Run a Prestashop.
I hope you can guide me to the right path, I am totally lost. Thanks.
You need to register a domain with someone, this is outside of Amazon. Just google domain name registrars:
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=domain%20name%20registrar
Then you'll need to point your domain to your Amazon EC2 instance. I would suggest using Route 53 to do this, another Amazon AWS service that makes it easier to setup and control your domains:
http://aws.amazon.com/route53/
Once you have that setup, visiting your name domain should show the default apache It works! page, if you've correctly setup your LAMP server. It'll look something like these:
https://www.google.co.uk/search?q=default+apache+web+page&espv=2&source=lnms&tbm=isch&sa=X&ei=yRfWU_v8OeHe7Abp1ICICw&ved=0CAYQ_AUoAQ&biw=1457&bih=881#imgdii=_
You'll want to add a new vhost for your new PrestaShop site, this will allow you to setup a specific set of files to serve for your new URL, and means you can add other sites to the server later on. Just a quick google shows multiple tutorials on doing this, here's one of them:
http://calebogden.com/multiple-websites-amazon-ec2-linux-virtual-hosts/
Then follow the tutorial in the PrestaShop documentation about installing PrestaShop via the command line:
http://doc.prestashop.com/display/PS16/Installing+PrestaShop+using+the+command-line+script
Now I'm guessing that all those steps in one go is a little overwhelming, so I would suggest you break this task down into chunks and work on them one at a time, and post a few different questions on StackOverflow and probably ServerFault: https://serverfault.com/, as that is better suited to setting up servers.
To summarise you need to:
register a domain name and point it to your EC2 server, you should see the default apache page
create a new vhost to server web pages for your new domain
follow the guide on PrestaShop about installing the software
Treat each of those a separate task. This question covers lots of topics in one very general idea, the full answer to your problem wouldn't really fit in a single post.
ServerFault will probably have a lot of your answers already, regarding setting up domains and vhosts at least.
I've got a little Django site in which users can link to images on other sites in their comments. It's by no means a core feature.
I've just moved the entire site to SSL. That has worked fine for the most part but remote images are obviously not always going to be available over SSL. Only the slightest number of domains have valid certificates.
What's the best way to funnel images through then?
Download them when the user posts and alter the URL to a local one?
Make a proxy that just proxies another URL?
The second seems like less work (I feel like it would be possible just with NGINX rules) but that it would also open the site up to people using my proxy for their own nefarious gain... Which I'd like to avoid.
What's the best compromise here?
Github ran into this same issue when they moved to HTTPS everywhere and detailed it in their blog: https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets
Their solution was to create a proxy server which they open sourced as https://github.com/atmos/camo To address the same concerns about abuse of the proxy it is deployed with a shared secret with the application server. Integrating this would a Django project would be straight forward as you would just need to generate the digest from the shared key for the given image url.
I'm new to mezzanine and Django. I have set up a site, everything is working but I can only launch the server on "development". I would like to access de site on the port 80 on the internet instead of internally, as I have no way other than redirecting the port via SSH to access it. I would like to know how to do that.
And another question, is Nginx included with Mezzanine automatically ? Cause I have a tuned up Nginx server there and I'm not sure what I need to do, if run it with my existing Nginx server or with the one included with Django if that is how it works .... thank you for bring some light on this.
NGINX is not included with Mezzanine, it's an entirely separate piece of software, similar to Apache.
Mezzanine includes a fabric script which can automatically set up a production server if you'd like to use it, and will install NGINX on the server for you, among many other things.
Given your question, I can't recommend enough that you read and understand all the related documentation on this topic. Start with the Mezzanine link below, it references many other documentation sites - Django, Fabric, NGINX, plus more.
Enjoy the adventure: http://mezzanine.jupo.org/docs/deployment.html