I have implemented loadbalancing for my django website. My loadbalancing server is https but my individual servers are http. I have set SESSION_COOKIE_SECURE to True in my individual servers settings.py file.
If I hit the server directly with loadbalancer, Cookie is secured and working fine (Because the loadbalancing server is https secured).
But if I hit individual servers the page is redirected to the login page and the user won't be able to login (Because individual servers are not secured).
As per the django doc, I have included SECURE_PROXY_SSL_HEADER in settings.py but it supports only django 1.4 version. I'm using Django 1.3 for my website.
I need to secure cookie for my loadbalancing server and the realips (individual servers)
Any solution in Django 1.3 ?
Thanks in advance
Related
I previously posted about not being able to send HttpOnly cookie from nextJS to django either from getServerSideProps or from useEffect here. I think the reason is that my django and Nextjs are running on different domains. So I need to have same domains for both back-end and front-end. Does it mean that requests from nextJS should go from 127.0.0.1:8000 instead of 127.0.0.1:3000?
If yes, do I need to use proxy within Nextjs?
Also, I have set-up django-cors-headers, does it still require proxy?
Yes. You'll need to set up a proxy server that will forward your requests from 127.0.0.1:3000 to 127.0.0.1:8000. That way, your cookies will be shared with your backend server since the browser will assume they are from the same origin.
As for setting up a http proxy on nextjs, you can refer to this Github Answer
Setting django CORS headers will not apply to your cookies. CORS refers to requests from different origins and setting these headers will allow your backend to receive requests from different origins as you have specified in your allowedHosts declerative. Cookies can be shared within different subdomains but never different domains.
After open server, web only run without "http" url
like this127.0.0.1:8000/blog/
and add http with 404 ERROR,where I did wrong?
For now you are developing the Django not deploying it on the server. The http or https will be set with the server configuration file. It don't work now. Simply develop your site and figure this out when you are deploying the app
In Django, if I set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True, it ensures only secure cookies are sent over https.
Now my Django web project serves traffic over both http and https. If I set the aforementioned flags, will it cause any problems for traffic over http? Or that traffic will continue to be served normally?
These settings tell the browser not to send session and csrf cookies over http. So you won't be able to submit forms (unless you explicitly bypass csrf check) and you won't be able to use sessions over http. This is the goal of these settings.
I'am getting an error message from Angular whenever I try to make an AJAX call to an endpoint of my backend (on a separate domain, running Django 1.7):
Cross origin requests are only supported for protocol schemes: http,
data, chrome-extension, https, chrome-extension-resource
I do have django-corsheaders installed, CORS_ORIGIN_ALLOW_ALL = True and the middleware set up properly. So what's wrong?
I am not sure if this information is relevant, but I am still testing everything on a single host, meaning there is one XAMPP server running for the Angular frontend at localhost and one Gunicorn instance running at localhost:5000 for the backend.
I am able to setup django-allauth with social login using this tutorial.
However I need running all my website in https.
Can django-allauth be successfully and reliably used with django-sslify?
The web server you're hosting Django in handles SSL. If you put Nginx or Apache in front, for example, they will do all the SSL work. Django won't have any concept of being HTTP vs HTTPS.
The django-sslify module doesn't make a site run in SSL, it just redirects any detected non-SSL request to the equivalent SSL URL.
For django-allauth to work with SSL, all you need to do is ensure the configuration of redirect URLs is set to https://... etc.