NOTE Stephen updated his original snippet http://www.djangosnippets.org/snippets/85/ to work with WebFaction, please use his version now
This code is 95% from Stephen Zabel's snippet at http://www.djangosnippets.org/snippets/85/. However, his snippet, as it was, wouldn't work when enabling SSL for the admin site on Webfaction. For some reason, the default request.is_secure() doesn't behave properly with Webfaction's setup and redirects.
One thing Webfaction does do is add X-Forwarded-ssl='on' to any https requests. So instead of using request.is_secure(), I've just used that.
To setup the admin site with SSL on Webfaction, do the following:
- Install this middleware wherever you like, and add it to settings.py
- In your Webfaction panel, create your 'django' application ("application" in the Webfaction sense, not the Django sense)
- Create two sites. The first, your main site (which I'll call example.com), should use the application 'django' mounted at '/'. Do not have HTTPS enabled on this site.
- For the second site, also use the application 'django', and again mount it to '/', but this time enable HTTPS.
- In your urls.py, modify the admin URL as follows:
(r'^admin/', include('django.contrib.admin.urls'), {'SSL':True} )
That should be it! The admin section of the site now requires SSL (as specified in urls.py), and if anyone tries to access the admin via regular http, a redirect to https will occur.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | __license__ = "Python"
__copyright__ = "Copyright (C) 2007, Stephen Zabel, Jay Parlar"
__author__ = "Stephen Zabel - [email protected]"
__contributors__ = "Jay Parlar - [email protected]"
from django.conf import settings
from django.http import HttpResponseRedirect, HttpResponsePermanentRedirect, get_host
SSL = 'SSL'
def is_secure(request):
if 'HTTP_X_FORWARDED_SSL' in request.META:
return request.META['HTTP_X_FORWARDED_SSL'] == 'on'
return False
class SSLRedirect:
def process_view(self, request, view_func, view_args, view_kwargs):
if SSL in view_kwargs:
secure = view_kwargs[SSL]
del view_kwargs[SSL]
else:
secure = False
if not secure == is_secure(request):
return self._redirect(request, secure)
def _redirect(self, request, secure):
protocol = secure and "https" or "http"
newurl = "%s://%s%s" % (protocol,get_host(request),request.get_full_path())
if settings.DEBUG and request.method == 'POST':
raise RuntimeError, \
"""Django can't perform a SSL redirect while maintaining POST data.
Please structure your views so that redirects only occur during GETs."""
#return HttpResponseRedirect(newurl)
return HttpResponsePermanentRedirect(newurl) #I have not had time to test this, but it appears to work better.
|
More like this
- Template tag - list punctuation for a list of items by shapiromatron 9 months, 4 weeks ago
- JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 10 months ago
- Serializer factory with Django Rest Framework by julio 1 year, 4 months ago
- Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 5 months ago
- Help text hyperlinks by sa2812 1 year, 6 months ago
Comments
Hey this is great. I modified it just slightly? What I would like to propose is that we check request.is_secure() in your is_secure() If that comes back as false then we use your test for the webfaction header. I think that having a single option for the end user that works in both cases is prolly a better solution.
If you have a chance... could you try out my change to the SSL Middleware code in your environment to make sure that it works correctly?
Thanks, Stephen
#
Wouldn't it make more sense to do this with a decorator? Either way it would be easy to add a decorator "frontend" to your middleware - and a nice feature :-)
#
Sorry to comment back so late... I actually originally wrote it as a decorator. but then I was left with having to add an @ssl and @notssl decorator to every action. Add in some @login_required and various permission decorators and it got messy vary fast.
IMO it also just "feels" like a better place to put it.
#
SMALL UPDATE:
change : 'if not secure == is_secure(request):' to: 'if not secure == self._is_secure(request) and secure != 'keep':'
It will keep your current protocol, if you use 'keep' in view args.
#
I think it would be much better to create a separate middleware for WebFaction which fixes the request object so that HttpRequest.is_secure() actually works. There are other places in Django that might rely on HttpRequest.is_secure() returning a correct value. I'll see if I can hack up a solution for this.
#
wow thanks its very help me Cream Pemutih Wajah Pemutih Wajah Alami Cream Pemutih Wajah Yang Aman
#
great i love this Cara Cepat Hamil
#
Please login first before commenting.