Running the django admin over https using apache2 - django

I have a django web application that's running on apache 2.2.14 and I want to run the admin application over https.
Having read considerable discussions on using a proxy, writing middleware, running alternative wsgi scripts, the chaps in #httpd came to my rescue. The solution is so simple, I was surprised I didn't find it online, so I'm curious to see if I've made some glaring assumptions or errors.
One complication was that I also wanted to run one of my django apps in the site over https, that is everything on /checkout.
Essentially, if a user requests a URI starting with /admin or /checkout on http, they are to be redirected to that URI but on https. Conversely, if a user requests a URI that does not start with /admin or /checkout on https, they are to be redirected to that URI but on http.
The key to solving this problem was to use Redirect and RedirectMatch directives in my VirtualHost configuration.
<VirtualHost *:80>
... host config stuff ...
Redirect /admin https://www.mywebsite.com/admin
Redirect /checkout https://www.mywebsite.com/checkout
</VirtualHost>
<VirtualHost *:443>
... ssl host config stuff ...
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
</VirtualHost>

Another approach is to use #secure_required decorator. This will automatically rewrite the requested url and redirect to https://... version of the URL. Then you don't have to have Redirect in *:80 configuration. *:443 configuration may still be required for performance purpose if you want other traffic to go through normal http traffic.

I tried your solution, but ran into several problems. First, the formatting on the admin site disappeared, as if it could not find the admin static files. Second, if I tried to reach the non-admin site through https, the browser would not find it and redirect me to Yahoo search. Oddly, if I edited the yahoo search URL to eliminate all text except my correct URL (minus the http://), it would continue to search through yahoo for my site. However, typing the exact same URL afresh sent me to my site.
I solved all of these issues by simply removing the
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
directive.
I should mention that I don't have a /checkout section on my site and am only trying to secure /admin. ... and yes, I did substitute my URL for "mywebsite.com"

What you described should work, but there may be a problem in the future if you need to make changes to which paths are/are not HTTPS. Because this method requires the ability to correctly modify the Apache config file it means you do not want novices in the loop. Screw up the config file and your site can go 500-error in the blink of an eye.
We chose to have a simple text file that had a list of the must-be-HTTPS paths. Anyone on the project can edit it and it is checked for correctness when it is loaded. We handle any needed redirects to/from HTTPS in middleware and it seems to work just fine. This method will also work if you are running anything other than Apache.

Related

Access django url without apache http basic authentication

I'm working on a Django 3.2 project which is hosted using Apache 2.4 server. The user authentication in this project is handled using HTTP Basic Authentication configured using LDAP.
I have implemented a sign up feature for new users. For that I have created the necessary form, view, template and url pattern in the Django project. The urlpattern to visit the sign up form is /signup.
My goal is to make the sign up urlpattern accessible to anyone i.e. prevent the Basic Authentication from showing when the sign up urlpattern is requested by user in the browser.
JFI, the complete Apache configuration is already complete and works already.
To achieve this, I have used the "LocationMatch" directive in the Apache configuration within the VirtualHost directive:
...
<LocationMatch "^/signup$">
Require all granted
</LocationMatch>
...
With this the Basic Authentication is removed when /signup URI is requested, but the server always redirects to another url which ultimately requires authentication hence giving the basic auth pop-up.
$ curl -I https://*****.com/signup
HTTP/1.1 302 Found
...
I have tried to redirect the request explicitly to /signup whenever the is /signup. This ends up in an endless loop of redirections.
RewriteEngine on
...
RewriteRule ^/signup$ /signup [R=301,L]
I have also tried other ways by setting environment variables within Apache configuration, I have restarted Apache whenever a change was done in config, I have cleared browser cache etc., but nothing seems be working.
FYI, I can access the /signup url successfully after logging into the application which is not useful for me.
I'm afraid I cannot share the complete source (apache config, django source etc.) here as the project is not completely open source yet. But I'm sure your suggestions would surely help me in some way.
I want to fix the redirection. I have no clue what I'm missing out here.

Regex - redirect from website.com to website.com/us and append substring

Can anyone help me correct my regex?
My hosting provides IP geolocation and I want to redirect US clients to another sub-directory of my website.
The website runs on a Nginx server and the hosting provides an interface where one can add redirection rules. The interface consists of Domain, Redirect from, Redirect To, Traffic from (country) and HTTP status code 301 or 302.
Example:
for all non-US clients website.com/blog/article/really-good-book
only for US clients website.com/us/blog/article/really-good-book
I currently have:
Redirect from ^/(?!us/)(.*)$
Redirect to /us/$1
This currently redirects me to website.com/us/index.php and nothing else. So the redirect is applied, it only appends index.php instead of blog/article/really-good-book.
Thank you for your help.
Eventually I found my own solution:
Redirect from ^(?!(/us|/index.php|/wp-admin|/wp-login.php))(.*)$
Redirect to /us/$1
I also added a rule for my wordpress backend, otherwise it would always redirect me back to website.com/us while trying to access website.com/us/wp-admin.

How Can i redirect url to another url with the .htaccess in cpanel

I want to redirect mysite.com/index.php to mysite.com/clientarea.php using .htaccess does not work for me help out.
with simple code.
I have tried several time and finally the site is not available
Try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN
Based on that error, it appears you're redirecting to a different hostname than mysite.com - I assume unintentionally.
If you can post your .htaccess code, the solution may be easy to provide.

Using Mod Rewrite with DJango redirecting to Port Number

I have Mod rewrite set to pick up people who come to the root of my domain and redirect them to the proper language folder in my Django
Im running a new Django with mod_wsgi under apache. I have an apache instance with a virtual server set to port 8005 and my load balancer pointed to that server and port.
I have only one rule in Mod Rewrite to redirect to US folder
RewriteRule ^(|/|/index.html)$ /us/ [QSA,NE,R=302,L]
When I try to go to my www.site.com I see in my trace logs its trying to redirect to www.site.com:8005/us/ instead it should go to www.site.com/us/
If I go to www.site.com/us/ works fine
In the apache configs i needed add servername hostname I had a different hostname that was preventing it from redirecting properly. I haven esperienced this problem on my non Django sites

redirect clients connecting via "www.domain.com" to "domain.com" using django

it seems like google links to my page contain a "www." before the domain, this causes security errors since I'm reading data from the canvas and the images will be marked as cross-orign if they are from "www.x.com" rather than "x.com".
So i'm wondering what's the nicest way to redirect people from the url with the www. in it to one without?
(alternately, can I get google to link without the www?)
Thanks
The best way would be to let your webserver (apache/nginx) handle the redirect, instead of doing it in Django.
In nginx it could look something like this:
server {
listen 80;
server_name www.example.com;
rewrite ^(.*) http://example.com:80$1 permanent;
}
Of course you could do it in Django, simply check for the existence of the subdomain www and then redirect to the same URL without this subdomain. In this case you would need to add this logic to all of your views though (could be a decorator for example). Still, its hard to maintain and the better and simpler approach is the one I mentioned above.