On production, I've been trying to add the djangosecure.middleware.SecurityMiddleware (from http://pypi.python.org/pypi/django-secure)to my settings, but haven't had any luck making it work.
When I run:
./manage.py checksecure
Everything passes perfectly fine. But I'm unable to load the site up. It gives me the following error:
The webpage has resulted in too many redirects. Clearing your cookies for this site or
allowing third-party cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Locally, when I use the production settings I receive a page error with:
Unable to make a secure connection to the server. This may be a problem with the server,
or it may be requiring a client authentication certificate that you don't have.
My terminal then gets filled with strange errors that I can't decipher:
[12/Jan/2013 14:15:25] code 400, message Bad HTTP/0.9 request type
('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]\x97e\xdd\xdc\xa9\xeb\x0e\xfc\xbb\xfa3 ')
[12/Jan/2013 14:15:25] "??P??]?e?ܩ????3 Ʀ?-?:?.E:?o?FH?" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x02P\xf1\xc4]M\xeeA50\xfc\x15%\xc1\xa4\x02\xec\xf0\x1fO')
[12/Jan/2013 14:15:25] "??P??]M?A50?%????O" 400 -
[12/Jan/2013 14:15:25] code 400, message Bad request syntax ('\x16\x03\x01\x00\x98\x01\x00\x00\x94\x03\x01P\xf1\xc4]\x8eg\xbey\x155\xafiP5\x85r\xb4|\x8c\x
Any advice?
Infinite-redirects means you have set SECURE_SSL_REDIRECT to True, but in production your site runs behind an SSL-stripping proxy server, so Django can't tell that the request is already in fact SSL, so it continually tries to redirect to SSL. As noted in the linked docs, you need to figure out what header your proxy sets to indicate an externally-SSL request, and set the SECURE_PROXY_SSL_HEADER setting accordingly.
Using the production settings locally will not work because Django's development server does not support SSL. The strange terminal output is your browser trying to make an SSL handshake with a server that doesn't understand SSL.
Related
I'm working on a React and Django API project, I'm using postgreeSQL as Database, and I deployed my website using nginx and gunicorn,
I have a problem on my deployed website when I try to insert a lot of data (add studies),
I'm getting this error:
Access to XMLHttpRequest at 'http://192.168.85.126:8000/api/new-study/'
from origin 'http://192.168.85.126' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
PS: I'm not getting this error when I try to add less data, in my development environment I can add whatever data I want, the problem is only happening in production
Let me guess, you're not using gunicorn in your development environment, but only use manage.py runserver, aren't you? That's why it was running, as "development server" is more easy and loose on security than gunicorn.
This is a security issue, as your system is blocking request from an unknown origin:
Your server: http://192.168.85.126:8000
The request origin: http://192.168.85.126 <<< no port, so it is considered different server
To fix the issue, in the settings.py, add the CSRF_TRUSTED_ORIGINS parameter like this
CSRF_TRUSTED_ORIGINS = ['http://192.168.85.126:8000', 'http://192.168.85.126']
Furthermore, if you're going to use SSL later (https), then you will also have to add CSRF_TRUSTED_ORIGINS for each https server
I deployed an web app which django restframework base on Heroku and Azure.
Same app on Heroku works fine.
But when I access to Azure, it causes ERR_TOO_MANY_REDIRECT error.
I googled and found that turn SECURE_SSL_REDIRECT off solved ERR_TOO_MANY_REDIRECT error.
However, it causes 403 CSRF error instead.
I need to find another way to fix ERR_TOO_MANY_REDIRECT or find a way to fix 403 CSRF error.
Can anyone help me to solve this issue?
If your app is on "Azure App Service", the HTTPS connection will be terminated before it reaches your web worker. Your app wil see an incoming HTTP request instead. In this case you need to set SECURE_SSL_REDIRECT = False indeed. If you want to enforce HTTPS (which is a good practice) you can do so in the Azure settings: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
About the CSRF-related error: because Azure translates HTTPS to HTTP, you need to configure Django to allow POST requests from a different scheme (since Django 4.0) by adding this to settings.py:
CSRF_TRUSTED_ORIGINS = ["https://YOUR-DOMAIN.com", "https://www.YOUR-DOMAIN.com"]
If this does not solve your problem, you can temporarily set DEBUG = True in production and try again. On the error page, you will see a "Reason given for failure" that you can post here.
I was trying to implement 'Securing Django Admin login with OTP', however I can't login into the admin panel now. I removed the app from everywhere but still doesn't work. Any solution for this?
[05/Feb/2021 21:39:49] code 400, message Bad request version ('î\x9el\x00$\x13\x01\x13\x03\x13\x02À+À/̨̩À,À0À')
[05/Feb/2021 21:39:49] You're accessing the development server over HTTPS, but it only supports HTTP.
If you are on development version you cant use https connection on your localhost so just turn your URL to http and error will be disappear.
ex:
https://localhost:8000
or
https://127.0.0.1:8000
just turn it to
http://localhost:8000
or
http://127.0.0.1:8000
also may be at 127.0.0.1:8000
I've developed my own website on Django for a while, and today I started to learn how to deploy it. I added this to my settings.py:
SECURE_SSL_REDIRECT = True,
This caused the development server to stop working properly, with this error message:
[13/Jan/2018 16:56:49] code 400, message Bad request syntax ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03ßà\x84¼+Jnßþn-ñ\x88ý©vAþK\x83¤²êT\x86\x0b.\x8em\x0b:â\x00\x00\x1cÚÚÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03\x87')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
[13/Jan/2018 16:56:49] code 400, message Bad request version ('JJÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.
Why has my server stopped working properly?
Note that when I changed the setting back to SECURE_SSL_REDIRECT = False, the problem didn't go away.
You configured your django site to enforce https by setting SECURE_SSL_REDIRECT = True - which is very good idea for a production setup.
If you set the SECURE_SSL_REDIRECT setting to True, SecurityMiddleware will permanently (HTTP 301) redirect all HTTP connections to HTTPS.
For this reason (and also others) you usually have separate settings for development and produciton. There are a few things that nearly always differ.
Read this to get known to some approches on how to deal with it: Django: How to manage development and production settings?
NOTE
If your browser received 301 once from your site - changing the setting back might have no direct effect, as the browser cached the target URL and does not send a request on HTTP. You need to clear or disable your browsers cache in that case.
The browser has cached the http->https redirect from the previous request when it was working with SECURE_SSL_REDIRECT=True.
Turning it off server side will not effect that cached redirect.
You can selectively clear that for your dev server's url/ip (not everything in the browser cache) and get things working by:
Shutdown your Django dev server
Go to http://127.0.0.1:8000 - it will give you a 404
Open up Chrome's dev tools
Click and hold on the "Reload" button
Select: "Empty Cache & Hard Reload"
Restart Django dev server
Hit http://127.0.0.1:8000 again
If you are part of a team, you can use a variable to set the development environment. for e.g. DJANGO_DEV=development
After that you can check, if current environment is a DEV env and set the specific values.
Read more about this approach on this answer
You might try editing your Edit Configuration and run the server on a different port. In pycharm I changed run -> edit_configurations -> host = 127.0.0.1, Port = 8001.
I then reran the Python Interpreter and it launched again in a new browser without the https. You might need to first change the settings options to select SECURE_SSL_REDIRECT = False in your local_settings or settings.
I get the error on any POST requests (for logging in, or posting data through forms) using Chrome browser. You can try it out at http://52.xx.xx.xxx/users/login. Just use any username / password - should give you:
The change you wanted was rejected.
Here is a snippet of the error from the logs:
W, [2017-07-10T08:40:16.486974 #11349] WARN -- : Can't verify CSRF token authenticity
I, [2017-07-10T08:40:16.487259 #11349] INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
D, [2017-07-10T08:40:16.487526 #11349] DEBUG -- : User excluded error: #<ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken>
The exact same login request, or other post requests go through on Safari. The site has a self signed certificate. So, I've changed Chrome settings to trust the certificate and accept cookies.
Please suggest what else i should look for and what other logs might be helpful in debugging the issue. I've looked at quite a few SO threads over the past 2 days and couldn't find anything that solved my issue.
Edit:
Removed the IP address to prevent unnecessary traffic to the site.
So i got around the problem by using https instead of http at the start of the URL. As expected, chrome throws up the security related warnings, but adding an exception allows post requests to go through without errors.
Safari was somehow able to redirect my requests(with http or nothing at all) to https because of which it was working. Tried with http on safari and ended up with the same issue.
Marking this as solved - since the original observation doesn't hold anymore. I need to figure how to make the http and non http requests redirect to https on my nginx backend and that should fix the issue.