WebFaction
Community site: login faq

Well, was wondering what the recommended way for securing the django admin site with webfaction certificate, an internet search recommend the use of a middleware (which I'm not familar with), but was wondering is there a recommended & easy way for doing so in webfaction?

asked 01 Dec '10, 22:45

neb
2126
accept rate: 0%

edited 01 Dec '10, 22:46


Yes, there is a much easier way to do this than through a middleware component. Simply host your django application on two website records simultaneously -- one for HTTP, and one for HTTPS. The front-end Nginx webserver will handle removing the encryption layer, which then forwards to your Django application. This allows SSL to be used transparently with your existing application.

Optionally, you can then implement a redirect in your httpd.conf for the HTTPS website to redirect to your HTTP site, for all URLs that do not fall under /admin. For example:

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{REQUEST_URI} !^/admin
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

And you may want a parallel one for redirecting non-HTTPS requests for /admin to the HTTPS site:

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} ^/admin
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
permanent link

answered 02 Dec '10, 00:58

ryans ♦♦
5.0k103860
accept rate: 43%

How would I use this, for example, when I "host your django application on two website records simultaneously" where one is prefixed with secure.mysite.com and the other is just www.mysite.com ?

More specifically what I'ms asking is the http.conf ... are they dynamic variables declared elsewhere? Or are they hand modified by me for these example urls.

(11 May '11, 13:13) JBlack

@JBlack:

The variables shown above are the HTTP headers that come in with the request.

If secure.mysite.com is HTTPS-only, and www.mysite.com is HTTP-only, then you should be able to use the above example without modification, since the SSL header is the condition that controls the rewrites.

If not and you need a condition that checks for the hostname used in the request, then you can use the %{HTTP_HOST} variable in a rewrite condition, like this:

RewriteEngine on

# force HTTP for the www subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} www.mysite.com
RewriteCond %{REQUEST_URI} !^/admin
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# force HTTPS for the secure subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} secure.mysite.com
RewriteCond %{REQUEST_URI} ^/admin
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
(11 May '11, 15:58) seanf

If I want login and checkout to be under a secure ssl url as well can I comma serpate additional subfolders to this same rule. Do I repeat the line "RewriteCond %{REQUEST_URI} !^/admin" for each folder I want within the condition statements? Or do I declare each one in there individual sections with repeating lines of code?

(17 May '11, 15:20) JBlack

I'd do it by using a single regex like "(admin|login|checkout)" that matches any of the URLs that you want to redirect, eg:

RewriteEngine on

# force HTTP for the www subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} www.mysite.com
RewriteCond %{REQUEST_URI} !^/(admin|login|checkout)
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# force HTTPS for the secure subdomain
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} secure.mysite.com
RewriteCond %{REQUEST_URI} ^/(admin|login|checkout)
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
(17 May '11, 15:59) seanf

I'm not sure if this is what everyone means, but the simplest solution I have found is this:

  1. Log in to your webfaction control panel.
  2. Under Domains/websites choose websites, then select the website you wish to secure with ssl.
  3. Click the button to edit it.
  4. Check the box that says Https*?
  5. Click update.
  6. Try visiting https://yoursite.com.

It might take a little while for the update to take affect. One of the other answers shows you how to update your httpd.conf to redirect only /admin to https.

As a note I noticed that when I first checked https and updated the https version of the site didn't work. Then I unchecked it and pressed update again. The https version of the site immediately started working but then stopped after a few minutes. I checked it again, and it didn't work (i'm assuming after some period of time it would start working), so I unchecked it, and made sure it worked which it did and then immediately rechecked the option. It continued working and hasn't stopped since.

permanent link

answered 18 Jan '11, 13:06

jcartmell
11
accept rate: 0%

If you want a site to work on HTTP and HTTPS, then you must create two site records, one for each.

(18 Jan '11, 14:55) seanf

Nevermind on this, apparently that forces the whole site https, and doesn't maintain the normal http.

(18 Jan '11, 17:12) jcartmell
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×910

question asked: 01 Dec '10, 22:45

question was seen: 9,748 times

last updated: 17 May '11, 17:22

                              
WEBFACTION
REACH US
SUPPORT
LEGAL
© COPYRIGHT 2003-2020 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM