发表新帖
发表新帖

How to enable https in Django-auth generated pages?

后端 未结
关注
2 1298
感动是毒
感动是毒 2021-02-02 03:08

Using the Django-auth application (Django version 1.3), I want to have my login page go to https://mysite.com/login/. Currently, I\'m using:

# urls.
2条回答
  • 清酒与你
    清酒与你 (楼主)
    2021-02-02 03:22

    Set OS environmental variable HTTPS to on

    You need to enable the OS environmental variable HTTPS to 'on' so django will prepend https to fully generated links (e.g., like with HttpRedirectRequests). If you are using mod_wsgi, you can add the line:

    os.environ['HTTPS'] = "on"

    to your wsgi script. You can see the need for this by reading django/http/__init__.py:

    def build_absolute_uri(self, location=None):
    """
    Builds an absolute URI from the location and the variables available in
    this request. If no location is specified, the absolute URI is built on
    ``request.get_full_path()``.
    """
    if not location:
        location = self.get_full_path()
    if not absolute_http_url_re.match(location):
        current_uri = '%s://%s%s' % (self.is_secure() and 'https' or 'http',
                                     self.get_host(), self.path)
        location = urljoin(current_uri, location)
    return iri_to_uri(location)

def is_secure(self):
    return os.environ.get("HTTPS") == "on"

    Secure your cookies

    In settings.py put the lines

    SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

    and cookies will only be sent via HTTPS connections. Additionally, you probably also want SESSION_EXPIRE_AT_BROWSER_CLOSE=True. Note if you are using older versions of django (less than 1.4), there isn't a setting for secure CSRF cookies. As a quick fix, you can just have CSRF cookie be secure when the session cookie is secure (SESSION_COOKIE_SECURE=True), by editing django/middleware/csrf.py:

    class CsrfViewMiddleware(object):
   ...
   def process_response(self, request, response):
       ...
       response.set_cookie(settings.CSRF_COOKIE_NAME,
            request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52,
            domain=settings.CSRF_COOKIE_DOMAIN,
            secure=settings.SESSION_COOKIE_SECURE or None)

    Direct HTTP requests to HTTPS in the webserver

    Next you want a rewrite rule that redirects http requests to https, e.g., in nginx

    server {
   listen 80;
   rewrite ^(.*) https://$host$1 permanent;
}

    Django's reverse function and url template tags only return relative links; so if you are on an https page your links will keep you on the https site.

    0 讨论(0)
 看不清?
提交回复
热议问题