Login

SSL / HTTPS Middleware for Redirection and href Rewriting

Author:
DrMeers
Posted:
April 27, 2010
Language:
Python
Version:
1.1
Score:
2 (after 2 ratings)

See docstrings for details. To use, add to MIDDLEWARE_CLASSES in settings.py, and in your views.py:

  1. from path.to.this.middleware import secure
  2. Decorate SSL views with @secure
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from django.core.urlresolvers import resolve
from django.conf import settings
from django.http import HttpResponsePermanentRedirect
from django.contrib.sites.models import Site
import re

CURRENT_DOMAIN = Site.objects.get(id=settings.SITE_ID).domain
HREF_PATTERN = re.compile(r"""href\s*=\s*["']([^"']+)["']""", re.IGNORECASE)

def secure(func):
    """ Decorator for secure views. """
    def _secure(*args, **kwargs):
        return func(*args, **kwargs)
    _secure.is_secure = True
    _secure.__name__ = func.__name__
    return _secure

class SSLMiddleware(object):
    """ Redirects requests and rewrites URLs to correct HTTP/HTTPS protocol.

    Based on use of @secure decorator above to specify HTTPS views.

    The process_request method also intercepts insecure requests for secure
    methods and vice-versa and returns a permanent HTTP redirect to the
    correct URL.

    The process_response method prepends the correct protocol and domain as
    required to href attributes within HTML responses:
    
    - If request is secure, all absolute URLs which resolve to non-@secure
      views (or begin with MEDIA_URL) will be prepended with
      http://<CURRENT_DOMAIN>
    - If request is not secure, all URLs which resolve to @secure views will
      be prepended with https://<CURRENT_DOMAIN>
    - Relative URLs and fully-qualified URLs (anything that doesn't begin with
      a forward slash) is left untouched.

    """

    def _add_protocol(self, protocol, url):
        return '%s://%s%s' % (protocol, CURRENT_DOMAIN, url)

    def _resolves_to_secure_view(self, url):
        try:
            view_func, args, kwargs = resolve(url)
        except:
            return None
        else:
            return getattr(view_func, 'is_secure', False)

    def _correct_protocol(self, request, url):
        if request.is_secure():
            if url.startswith(settings.MEDIA_URL):
                if url.startswith('/'):
                    url = self._add_protocol('http', url)
            elif url.startswith('/'):
                if not self._resolves_to_secure_view(url):
                    url = self._add_protocol('http', url)
        else:
            if url.startswith('/'):
                if self._resolves_to_secure_view(url):
                    url = self._add_protocol('https', url)
        return url
                    
    def process_request(self, request):
        """ Redirect request if protocol incorrect """
        url = self._correct_protocol(request, request.path)
        if url != request.path:
            if request.method == 'GET':
                return HttpResponsePermanentRedirect(url)
            elif settings.DEBUG:
                raise RuntimeError, 'Cannot redirect with POSTed data'

    def process_response(self, request, response):
        """ Correct protocols for all href attributes within HTML responses """
        if response['Content-Type'].find('html') >= 0:
            def rewrite_url(match):
                url = match.groups()[0]
                return 'href="%s"' % self._correct_protocol(request, url)
            try:
                decoded_content = response.content.decode('utf-8')
            except UnicodeDecodeError:
                decoded_content = response.content
            response.content = \
                HREF_PATTERN.sub(rewrite_url, decoded_content).encode('utf-8')
        return response

More like this

  1. Template tag - list punctuation for a list of items by shapiromatron 11 months, 2 weeks ago
  2. JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 11 months, 3 weeks ago
  3. Serializer factory with Django Rest Framework by julio 1 year, 6 months ago
  4. Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 7 months ago
  5. Help text hyperlinks by sa2812 1 year, 7 months ago

Comments

robertstuart (on September 15, 2010):

Very nice, but I had a problem where the /admin/ application was being forced to (insecure) http: even where I entered https:

My solution was to revise the _ _correct__protocol routine:

def _correct_protocol(self, request, url):  
    if request.is_secure():  
        if url.startswith(settings.MEDIA_URL):  
            if url.startswith('/'):  
                url = self._add_protocol('http', url)  
        elif url.startswith('/admin/'):  
            pass  
        elif url.startswith('/'):  
            if not self._resolves_to_secure_view(url):  
                url = self._add_protocol('http', url)  
    else:  
        if url.startswith('/admin/'):  
            url = self._add_protocol('https', url)  
        elif url.startswith('/'):  
            if self._resolves_to_secure_view(url):  
                url = self._add_protocol('https', url)  
    return url

#

Please login first before commenting.