Using HTTPS in my Django site - django

I have created a website using Django, and one of the requirements is that it must use HTTPS protocol.
I have already deployed it in a VPS using Apache without problems.
What documentation/tips/snippet do you suggest me to achieve this?

HTTPS/SSL has nothing to do with django as such, you must set apache configuration correctly using mod_ssl see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
and go through such articles
http://www.thegeekstuff.com/2011/03/install-apache2-ssl/

As Anurag said, this is apache related, you could try something like this in your httpd.conf or similiar configuration file (mod_rewrite as well as correctly installed certificate required):
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

As already noted, you don't need to do anything special for Django to work with SSL. If you want to enforce SSL, you can verify that the incoming request to a given view is over SSL by checking the request.is_secure() method (I have used this in the past to make a simple require_ssl decorator).

Related

Create htaccess file for domain redirection (Django app deployed in Heroku)

Situation:
I've bought a specific domain, let's say 'example.ch' for my Django application which is deployed in Heroku. I also created an automated SSL certificate on Heroku (ACM). This certificate is valid for the WWW-subdomain, i.e. ACM Status says 'OK'. It fails for the non-WWW root domain, so I deleted the root domain entry on Heroku.
Issue:
When I type 'https://www.example.ch' in the browser, I find my secure webpage and everything is fine.
When I type 'www.example.ch' in the browser, I find my webpage but it is not secure
When I type 'example.ch' in the browser, the webpage cannot be found.
Goal:
I would like to type 'www.example.ch' as well as 'example.ch' in the browser to be always redirected to 'https://www.example.ch'.
Approach (so far):
My Host (swizzonic.ch) does not allow for 'Alias' records. 'A' records are possible but not supported by Heroku (https://help.heroku.com/NH44MODG/my-root-domain-isn-t-working-what-s-wrong). Swizzonic support told me to use a htaccess-file for redirection.
As I understand so far, I have to extend my middleware accordingly (?). Note that I use the common options for SSL redirection (SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https'), SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True).
How can I create a htaccess-file, where do I have to store it and how does the content look like?
Many thanks in advance!
Could you please try following Rules in your .htaccess file. Please make sure your .htaccess file is working fine(to enable it you could go through its documentation). This will convert every non http request to https with/without www in domain name.
Please clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond https !on
RewriteCond %{HTTP_HOST} ^(?:www\.)(.*)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,NE,L]

Redirect all urls to new domain but some specific urls

Good morning at all. I have a WordPress website and I want to redirect all urls to new domain but:
http://domain.it/?page_id=3668
http://domain.it/?team={name}-{surname}
I wrote this code in the htaccess file
#RewriteCond %{QUERY_STRING} !^team=([a-z-]+)$
#RewriteCond %{QUERY_STRING} !^page_id=3668$
#RewriteRule ^(.*)$ https://newdomain.it/ [L,R=301]
but it does not work correctly. In the Network tab of the Firefox developer tools, I see that there are some resources that are loaded from newdomain.it (for example css and images).
What I'm doing wrong?
This probably is what you are looking for:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^old\.example\.com$
RewriteCond %{QUERY_STRING} ^page_id=3668$ [OR]
RewriteCond %{QUERY_STRING} ^team=\w+-\w+$
RewriteRule ^ - [END]
RewriteRule ^/?(.*)$ https://new.example.com/$1 [R=301]
Is allows the two domains being served by the same http server, but that is not a requirement. If you operate two separate http servers then these rules belong into the one serving the old domain, obviously.
It is a good idea to start out with a 302 temporary redirection and only change that to a 301 permanent redirection later, once you are certain everything is correctly set up. That prevents caching issues while trying things out...
In case you receive an internal server error (http status 500) using the rule above then chances are that you operate a very old version of the apache http server. You will see a definite hint to an unsupported [END] flag in your http servers error log file in that case. You can either try to upgrade or use the older [L] flag, it probably will work the same in this situation, though that depends a bit on your setup.
This implementation will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).

Convert only one page to https in django

Using this https i can convert my entire project to https.
But i just want to convert only one page to https. All other pages should be in http.
Exapmle i have the following URLs
url(r'^related-product/$', related_product),
url(r'^payment-status/$', paymentStatus),
url(r'^get-kitchenstyle-images/$', singleKitchenStylesImages),
url(r'^makepayment/$', makepayment),
url(r'^add-accessory-to-session/$', add_accessory_to_session),
I have to call only makepayment in https. All other url as http
Is this possible ?
If possible how can i do this
Edit your apache configuration file.
Your specific url is makepayment
RewriteEngine On
# enable the Rewrite
RewriteCond %{HTTPS} !=on
# checks to make sure the connection is not already HTTPS
RewriteRule ^/?makepayment/(.*) https://%{SERVER_NAME}/makepayment/$1 [R,L]
You could force ssl by:
a proxy
the server
django middleware
As you only want one url to be rewritten the quick fix solution would be to add a rewrite rule, which depends on your server setup. Are you using nginx? lighttpd? apache?
You can also find a few middleware snippets on google that are easy to adjust to check for a specific url.

Forcing https in Django

I'm trying to encrypt my entire site over SSL. However, I'm not finding a clear cut way to do this with Django 1.4. Does anyone know a solution?
You could use a middleware such as those provided in django-secure or you could handle this at the Apache/Nginx/HAProxy level by redirecting all HTTP requests to HTTPS.
On apache+django (1.6) this can be done a number of ways but a simple way can be done in the .htaccess or httpd.conf file is:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URL}
Here's a link for further info on it:
http://wiki.apache.org/httpd/RewriteHTTPToHTTPS
To be sure the session and csrf cookies are not leaked by the client over plain http connections you should ensure that they are set as 'secure cookies' and only sent by the client over https. This can be done as follows in your settings.py file:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
An intro to django security, including SSL/HTTPS (a must read):
https://docs.djangoproject.com/en/1.6/topics/security/

How to enable SSL for a whole django site with apache2+ubuntu 11?

I need to enable SSL for one of my entire django site. Currently the site is hosted with Apache2 in Ubuntu 11.1 and just accessible through http. I'd like to know the following,
1) Apache configuration for enabling ssl for this site.
2) Django related changes of the same, if any.
Another question of the same kind is unanswered, so asking here again.
You may do it by adjusting your apache config like this:
# Turn on Rewriting
RewriteEngine on
# Apply this rule If request does not arrive on port 443
RewriteCond %{SERVER_PORT} !443
# RegEx to capture request, URL to send it to (tacking on the captured text, stored in $1), Redirect it, and Oh, I'm the last rule.
RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L]
Note that this is taken from https://serverfault.com/questions/77831/how-to-force-ssl-https-on-apache-location.
There shouldnt be any changes necessary for django.
HTH.