I am using Django on DotCloud which uses Django on top of uwsgi + nginx. I am trying to redirect all http traffic to https which is leading to a redirect loop. I am using the following http configuration
if ($http_x_forwarded_port != 443) { rewrite ^ https://$http_host/; }
It seems that Django doesn't understand that it is operating on https and the header is not preserved. It redirects https://url.com/ to http://url.com/accounts/login/ which is redirecting again and again leading to a redirect loop. I am not really an expert in nginx and do not understand it well enough. What can I be doing wrong?
In short how do I run redirect http to https in django running on top of uswsgi and nginx.
I needed a bit more to make Django aware that it should be using https.
In settings.py I added
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
And in the nginx configuration
location / {
proxy_set_header X-Forwarded-Proto https;
include uwsgi_params;
uwsgi_param UWSGI_SCHEME https;
uwsgi_pass_header X_FORWARDED_PROTO;
uwsgi_pass unix:///path/to/socket;
}
server {
listen 80;
server_name yourhttphost;
rewrite ^ https://yourhttpshost$request_uri? permanent; #301 redirect
}
server {
listen 443;
server_name yourhttpshost;
........
the rest
........
}
Using "if" in nginx config is a very bad idea!
if ( $scheme = "http" ) {
rewrite ^/(.*)$ https://$host/ permanent;
}
Related
I'm trying to test a deployment config for a Django setup that works fine in development mode.
I have name-based routing via Nginx's ssl_preread module on a load balancer, and SSL terminates at another Nginx instance on the server itself where the requests are proxied to uwsgi by socket.
server {
server_name dev.domain.net;
listen 80 proxy_protocol;
listen [::]:80 proxy_protocol;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name dev.domain.net;
listen 443 ssl;
listen [::]:443 ssl;
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/website.sock;
}
location /favicon.ico {
access_log off; log_not_found off;
}
}
I have uwsgi set to log %(host) and %(referer), they match in the logs.
In my uwsgi_params I'm passing $host and $referer like so, since I'm using name-based routing I pick up the $server_name variable that triggered the Nginx response...
uwsgi_param HTTP_REFERER $server_name;
uwsgi_param HTTP_HOST $host;
Adding (or taking away) protocols and ports to these makes no difference. Taking them away predictably generates a Django ALLOWED_HOSTS debug error.
I've confirmed that my ALLOWED_HOSTS includes the $host. I've tried adding CSRF_TRUSTED_ORIGINS for the same $host variable. I've tried setting CSRF_COOKIE_DOMAIN for the same $host variable. I have CSRF_COOKIE_SECURE set to True per the docs recommendation.
No matter what combination of the above settings are used, I get:
Referer checking failed - Referer is malformed. on all POST requests.
Short answer: don't use the uwsgi unix socket, but rather use http-socket and send the proxy request to localhost over unencrypted http (in uwsgi ini file):
http-socket = 127.0.0.1:8001
In nginx, get rid of uwsgi proxy params and simply proxy_pass with proxy_protocol headers enabled:
server {
server_name dev.domain.net;
listen 443 ssl proxy_protocol;
listen [::]:443 ssl proxy_protocol;
location / {
proxy_pass http://127.0.0.1:8001;
}
location /favicon.ico {
access_log off; log_not_found off;
}
}
At that point you can enable all of the recommended deployment settings in the Django docs, explicitly declare your ALLOWED_HOSTS and everything works fine.
These are a quite silly series of hoops with no apparent correct set of answers, especially considering referers are client headers that are easily forged.
The better answer is Django needs to get rid of a client referer check in its CSRF mechanism, it's pointless and makes no sense...
I have a domain binging a IP:
a.a.com -> 1.1.1.1
In 1.1.1.1 has a nginx , for access a.a.com/bbb/ to 2.2.2.2's django service.
`
#1.1.1.1
server {
listen 8090;
server_name localhost;
location /bbb/ {
proxy_pass 2.2.2.2:8000;
}
}
`
when I input a.a.com/bbb/, I can access, it's ok.
But when Django login's session timeout , It automatic redirect a.a.com:8090/bbb/.
I want to ask how to automatic redirect a.a.com/bbb/.
ps. the 8090 port cant access
Sorry my poor English , Thanks.
Use proxy_redirect off:
location /bbb/ {
proxy_pass 2.2.2.2:8000;
proxy_redirect off;
}
proxy_redirect off tells nginx that, if the backend returns an HTTP redirect, it should leave it as is. (By default, nginx assumes the backend is stupid and tries to be smart; if the backend returns an HTTP redirect that says "redirect to http://localhost:8000/somewhere", nginx replaces it with something similar to "http://yourowndomain.com/somewhere", or, in your case, "http://yourowndomain.com:8090/somewhere". Django is smart enough so there is no need for nginx to do such things.)
To distribute load and implement security in our application we have taken elastic Load Balancer from amazon and SSL is configured on it.Now the redirection from http to https is not working in nginx configuration on server or instances which is attached on ELB.
Here is following nginx configuration:-
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name new.example.com;
access_log /var/log/nginx/domain-access.log;
location / {
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8000;
}
}
Firstly the server is not supporting https URLs then I add some proxy settings in configuration but now issue is that redirection is not working i have used the following commands in ngnix configuration to redirect http to https :-
#version 1
server{
return 301 https://$server_name$request_uri;
}
#version 2
server {
rewrite ^(.*) https://$host$1 permanent;
}
Application deployed on server is build using django framework.
When I've done something similar, then I've set up the ELB HTTPS to redirect to HTTP port 80 on the node. I've then set up a second nginx vhost on the node, e.g. on port 81, which directs to return 301 https://$server_name$request_uri; and set up the ELB http listener to redirect to that port (where $server_name obviously points to the domain CNAME of the ELB)
I then make sure that the instances behind the ELB cannot be accessed from outside my VPC using security groups.
If you are using Django, you can use it to do the redirection, this give a lot of flexibilty like enabling HTTPS redirects only on production server or choose which urls to redirect from:
# Honor the 'X-Forwarded-Proto' header for request.is_secure()
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
# Redirect to HTTPS in production
SECURE_SSL_REDIRECT = not DEBUG
# Disable redirection on this urls
SECURE_REDIRECT_EXEMPT = [
'^legacy/api/',
]
I have https://testsite.com working on django + gunicorn + nginx + https.
My nginx conf (everything fine):
server {
listen 80;
server_name testsite.com;
access_log off;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name *.testsite.com;
proxy_set_header X-Forwarded-Protocol $scheme;
# lots of sll staff
location / {
# point to gunicorn
proxy_pass http://176.112.198.254:8000/;
}
}
I need to implement cities on subdomains pointing to subdirectories (exept main_city).
So i need urls like this:
https://testsite.com/some_url/ should point to https://testsite.com/main_city/some_url/
https://city1.testsite.com/some_url/ should point to https://testsite.com/city1/some_url/
https://city2.testsite.com/some_url/ should point to https://testsite.com/city2/some_url/
How can i do that?
Big thx for help!
You have to define upstrem directive. Currently your nginx can not proxy to your web application.
http://nginx.org/en/docs/http/ngx_http_upstream_module.html
upstream backend {
server backend1.example.com weight=5;
server backend2.example.com:8080;
server unix:/tmp/backend3;
server backup1.example.com:8080 backup;
server backup2.example.com:8080 backup;
}
server {
location / {
proxy_pass http://backend;
}
}
I am trying to use nginx as a simple load balancer for django per Jacob Kaplan-Moss' example:
http://github.com/jacobian/django-deployment-workshop
http://python.mirocommunity.org/video/1689/pycon-2010-django-deployment-w
If I stop nginx and have apache listen on port 80 everything works fine. If I have apache listening to nginx my urls break.
When nginx is running, http://184.106../admin/ works, but http://184.106../admin (missing ending slash) breaks. It redirects to the name of the web server http://web1/admin/
I know it is nginx causing the issue because the redirect works fine in apache and django dev server.
Here is the nginx.conf that is running:
# Nginx conf (/etc/nginx/nginx.conf).
#
# Basic setup
#
user www-data;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
#
# Event/worker setup.
#
worker_processes 4;
events {
worker_connections 100;
}
#
# HTTP configuration
#
http {
include /etc/nginx/mime.types;
# HTTP upstream for load balancers.
# Replace the IPs below with IPs (or names) of your upstream Apaches
upstream sitename {
server 10.X.X.X:8000;
server 10.X.X.X:8000;
}
# The actual HTTP sever.
server {
listen 80;
# Don't proxy static files like robots.txt and favicon.ico.
location ~ ^/(favicon.ico|robots.txt|sitemap.xml)$ {
alias /home/web/static/$1;
}
# Serve media directly out of Nginx for performance
location /media {
alias /home/media;
}
# Proxy everything else to the backend
location / {
proxy_pass http://sitename;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Handled-By $upstream_addr;
}
}
}
I had the exact same problem you had, following Jacob's nginx example, and not having a slash would cause improper redirects. pjmorse's response helped me, I set the server_name in the server block ( server { server_name: vasir.net; .... ) and it fixed the problem. However, I had to restart the server first and