login community faq

The recommended way for securing django admin with SSL/HTTPS

1

Well, was wondering what the recommended way for securing the django admin site with webfaction certificate, an internet search recommend the use of a middleware (which I'm not familar with), but was wondering is there a recommended & easy way for doing so in webfaction?

asked Dec 01 '10 at 22:45

neb's gravatar image

neb
2116

edited Dec 01 '10 at 22:46

2 Answers:
oldestnewestmost voted
3

Yes, there is a much easier way to do this than through a middleware component. Simply host your django application on two website records simultaneously -- one for HTTP, and one for HTTPS. The front-end Nginx webserver will handle removing the encryption layer, which then forwards to your Django application. This allows SSL to be used transparently with your existing application.

Optionally, you can then implement a redirect in your httpd.conf for the HTTPS website to redirect to your HTTP site, for all URLs that do not fall under /admin. For example:

1
2
3
4
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{REQUEST_URI} !^/admin
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

And you may want a parallel one for redirecting non-HTTPS requests for /admin to the HTTPS site:

1
2
3
4
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} ^/admin
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

answered Dec 02 '10 at 00:58

ryans's gravatar image

ryans ♦♦
29461420

How would I use this, for example, when I "host your django application on two website records simultaneously" where one is prefixed with secure.mysite.com and the other is just www.mysite.com ?

More specifically what I'ms asking is the http.conf ... are they dynamic variables declared elsewhere? Or are they hand modified by me for these example urls.

(May 11 '11 at 13:13) JBlack JBlack's gravatar image

@JBlack:

The variables shown above are the HTTP headers that come in with the request.

If secure.mysite.com is HTTPS-only, and www.mysite.com is HTTP-only, then you should be able to use the above example without modification, since the SSL header is the condition that controls the rewrites.

If not and you need a condition that checks for the hostname used in the request, then you can use the %{HTTP_HOST} variable in a rewrite condition, like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
RewriteEngine on

# force HTTP for the www subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} www.mysite.com
RewriteCond %{REQUEST_URI} !^/admin
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# force HTTPS for the secure subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} secure.mysite.com
RewriteCond %{REQUEST_URI} ^/admin
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
(May 11 '11 at 15:58) seanf ♦♦ seanf's gravatar image

If I want login and checkout to be under a secure ssl url as well can I comma serpate additional subfolders to this same rule. Do I repeat the line "RewriteCond %{REQUEST_URI} !^/admin" for each folder I want within the condition statements? Or do I declare each one in there individual sections with repeating lines of code?

(May 17 '11 at 15:20) JBlack JBlack's gravatar image

I'd do it by using a single regex like "(admin|login|checkout)" that matches any of the URLs that you want to redirect, eg:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
RewriteEngine on

# force HTTP for the www subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} www.mysite.com
RewriteCond %{REQUEST_URI} !^/(admin|login|checkout)
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# force HTTPS for the secure subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} secure.mysite.com
RewriteCond %{REQUEST_URI} ^/(admin|login|checkout)
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
(May 17 '11 at 15:59) seanf ♦♦ seanf's gravatar image
0

I'm not sure if this is what everyone means, but the simplest solution I have found is this:

  1. Log in to your webfaction control panel.
  2. Under Domains/websites choose websites, then select the website you wish to secure with ssl.
  3. Click the button to edit it.
  4. Check the box that says Https*?
  5. Click update.
  6. Try visiting https://yoursite.com.

It might take a little while for the update to take affect. One of the other answers shows you how to update your httpd.conf to redirect only /admin to https.

As a note I noticed that when I first checked https and updated the https version of the site didn't work. Then I unchecked it and pressed update again. The https version of the site immediately started working but then stopped after a few minutes. I checked it again, and it didn't work (i'm assuming after some period of time it would start working), so I unchecked it, and made sure it worked which it did and then immediately rechecked the option. It continued working and hasn't stopped since.

answered Jan 18 '11 at 13:06

jcartmell's gravatar image

jcartmell
11

If you want a site to work on HTTP and HTTPS, then you must create two site records, one for each.

(Jan 18 '11 at 14:55) seanf ♦♦ seanf's gravatar image

Nevermind on this, apparently that forces the whole site https, and doesn't maintain the normal http.

(Jan 18 '11 at 17:12) jcartmell jcartmell's gravatar image
Your answer
If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.
toggle preview

Plans & prices    Sign up    Why WebFaction?    Contact us    Affiliate program    Support    Legal    Jobs    Blog    Control panel login
Powered by OSQA
© Copyright 2003-2012 Swarma Limited - WebFaction is a service of Swarma Limited