I'm trying to encrypt my entire site over SSL. However, I'm not finding a clear cut way to do this with Django 1.4. Does anyone know a solution?
You could use a middleware such as those provided in django-secure or you could handle this at the Apache/Nginx/HAProxy level by redirecting all HTTP requests to HTTPS.
On apache+django (1.6) this can be done a number of ways but a simple way can be done in the .htaccess or httpd.conf file is:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URL}
Here's a link for further info on it:
http://wiki.apache.org/httpd/RewriteHTTPToHTTPS
To be sure the session and csrf cookies are not leaked by the client over plain http connections you should ensure that they are set as 'secure cookies' and only sent by the client over https. This can be done as follows in your settings.py file:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
An intro to django security, including SSL/HTTPS (a must read):
https://docs.djangoproject.com/en/1.6/topics/security/
Related
Situation:
I've bought a specific domain, let's say 'example.ch' for my Django application which is deployed in Heroku. I also created an automated SSL certificate on Heroku (ACM). This certificate is valid for the WWW-subdomain, i.e. ACM Status says 'OK'. It fails for the non-WWW root domain, so I deleted the root domain entry on Heroku.
Issue:
When I type 'https://www.example.ch' in the browser, I find my secure webpage and everything is fine.
When I type 'www.example.ch' in the browser, I find my webpage but it is not secure
When I type 'example.ch' in the browser, the webpage cannot be found.
Goal:
I would like to type 'www.example.ch' as well as 'example.ch' in the browser to be always redirected to 'https://www.example.ch'.
Approach (so far):
My Host (swizzonic.ch) does not allow for 'Alias' records. 'A' records are possible but not supported by Heroku (https://help.heroku.com/NH44MODG/my-root-domain-isn-t-working-what-s-wrong). Swizzonic support told me to use a htaccess-file for redirection.
As I understand so far, I have to extend my middleware accordingly (?). Note that I use the common options for SSL redirection (SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https'), SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True).
How can I create a htaccess-file, where do I have to store it and how does the content look like?
Many thanks in advance!
Could you please try following Rules in your .htaccess file. Please make sure your .htaccess file is working fine(to enable it you could go through its documentation). This will convert every non http request to https with/without www in domain name.
Please clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond https !on
RewriteCond %{HTTP_HOST} ^(?:www\.)(.*)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,NE,L]
Using this https i can convert my entire project to https.
But i just want to convert only one page to https. All other pages should be in http.
Exapmle i have the following URLs
url(r'^related-product/$', related_product),
url(r'^payment-status/$', paymentStatus),
url(r'^get-kitchenstyle-images/$', singleKitchenStylesImages),
url(r'^makepayment/$', makepayment),
url(r'^add-accessory-to-session/$', add_accessory_to_session),
I have to call only makepayment in https. All other url as http
Is this possible ?
If possible how can i do this
Edit your apache configuration file.
Your specific url is makepayment
RewriteEngine On
# enable the Rewrite
RewriteCond %{HTTPS} !=on
# checks to make sure the connection is not already HTTPS
RewriteRule ^/?makepayment/(.*) https://%{SERVER_NAME}/makepayment/$1 [R,L]
You could force ssl by:
a proxy
the server
django middleware
As you only want one url to be rewritten the quick fix solution would be to add a rewrite rule, which depends on your server setup. Are you using nginx? lighttpd? apache?
You can also find a few middleware snippets on google that are easy to adjust to check for a specific url.
I need to enable SSL for one of my entire django site. Currently the site is hosted with Apache2 in Ubuntu 11.1 and just accessible through http. I'd like to know the following,
1) Apache configuration for enabling ssl for this site.
2) Django related changes of the same, if any.
Another question of the same kind is unanswered, so asking here again.
You may do it by adjusting your apache config like this:
# Turn on Rewriting
RewriteEngine on
# Apply this rule If request does not arrive on port 443
RewriteCond %{SERVER_PORT} !443
# RegEx to capture request, URL to send it to (tacking on the captured text, stored in $1), Redirect it, and Oh, I'm the last rule.
RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L]
Note that this is taken from https://serverfault.com/questions/77831/how-to-force-ssl-https-on-apache-location.
There shouldnt be any changes necessary for django.
HTH.
I have created a website using Django, and one of the requirements is that it must use HTTPS protocol.
I have already deployed it in a VPS using Apache without problems.
What documentation/tips/snippet do you suggest me to achieve this?
HTTPS/SSL has nothing to do with django as such, you must set apache configuration correctly using mod_ssl see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
and go through such articles
http://www.thegeekstuff.com/2011/03/install-apache2-ssl/
As Anurag said, this is apache related, you could try something like this in your httpd.conf or similiar configuration file (mod_rewrite as well as correctly installed certificate required):
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
As already noted, you don't need to do anything special for Django to work with SSL. If you want to enforce SSL, you can verify that the incoming request to a given view is over SSL by checking the request.is_secure() method (I have used this in the past to make a simple require_ssl decorator).
I've got an e-shop on a virtual server that's been used as a subdirectory for the last few years, but now I'm finally giving the VS it's own domain name. What I really need is visitors to the old URL to be transparently (and 301) redirected to the new URL with everything after /eshop/ maintained and apended to the new host.
I.e. http://www.example.com/eshop/page.php -> http://www.newdomain.com/page.php
Any help would be greatly appreciated.
This should work with Apache:
RewriteEngine On
RewriteBase /
RewriteRule ^/eshop(/.*)? http://www.newdomain.com$1 [R=permanent,L]
This redirects http://www.example.com/eshop/whatever to http://www.newdomain.com/whatever and also redirects http://www.example.com/eshop to http://www.newdomain.com
You did not specify which web server you were using, but I assume its either apache or lighttpd.
In apache, you can use the Redirect keyword, e.g.
Redirect 301 / http://www.newdomain.com/
I haven't tried this, but see e.g. here:
http://www.yolinux.com/TUTORIALS/ApacheRedirect.html#APACHE
It seems to work with .htaccess files as well.
In lighttpd, there is mod_redirect (and I did try this :) ):
http://redmine.lighttpd.net/wiki/1/Docs:ModRedirect
EDIT:
Redirect 301 /eshop/ http://www.newdomain.com