2

I would like to know how to put my entire django site behind HTTPS. If anyone tries to come via HTTP I want that user to be redirected to HTTPS. Currently, firefox is giving me the error "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

My setup is :

1.One AWS load balancer (ELB) with an SSL cert.ificate The ELB has two listeners:

  • load balancer port 80 (HTTP) pointing to instance port 80 (HTTP)
  • load balancer port 443 (HTTPS) pointing to instance port 80 (HTTP)

2.One EC2 instance behind the ELB running nginx/uWSGI

nginx configuration

server {

        listen 80;
        return 301 https://$host$request_uri;
}

server {

        listen 443 ssl;
        set $home /server/env.example.com;

        client_max_body_size 10m;
        keepalive_timeout 120;


        location / {

               uwsgi_pass uwsgi_main;
               include uwsgi_params;
               uwsgi_param SCRIPT_NAME "";
               uwsgi_param UWSGI_CHDIR $home/project;
               uwsgi_param UWSGI_SCRIPT wsgi;
               uwsgi_param UWSGI_PYHOME $home;
             }
}

uwsgi configuration

# file: /etc/init/uwsgi.conf
description "uWSGI starter"
start on (local-filesystems
and runlevel [2345])
stop on runlevel [016]
respawn
exec /usr/local/sbin/uwsgi \
--uid www-data \
--socket 127.0.0.1:5050 \
--master \
--logto /var/log/uwsgi_main.log \
--logdate \
--optimize 2 \
--processes 8 \
--harakiri 120 \
--vhost \
--no-site \
--post-buffering 262144

3.Django settings file has the following settings specific to SSL/HTTPS

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Any ideas how to properly setup HTTPS?

Thanks

Binary Maze
  • 233
  • 5
  • 11
  • http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom – Grumpy Jan 16 '13 at 07:20
  • @Grumpy: I followed the instructions on the link but could not get it to work behind an ELB. The browser communicates with the ELB via HTTPS and the the ELB uses HTTP to communicate with the EC2 instance. Not sure if the response from the EC2 instance back to the ELB remains secure before it gets sent back to the browser via HTTPS. – Binary Maze Jan 17 '13 at 04:23
  • Can someone tell me if I redirect to HTTPS do I need to provide SSL info in the Nginx config file? I would like to maintain the SSL cert on the ELB rather than each EC2 instance to cut maintenance efforts. – Binary Maze Jan 17 '13 at 04:35
  • 2
    @BinaryMaze the answer is no. ELB is an HTTPS terminator if configured with an SSL certificate, meaning (as described above) that all traffic on your app servers is simple HTTP. However, you want to upgrade all traffic to HTTPS right? The question is, how do we know which traffic came through HTTPS? That’s what the X-Forwarded-Proto header is for. ELB will set this to the protocol used. Have your framework respond with redirects when this header has a value that is not "https". – Jökull May 01 '13 at 10:32
  • Did you figure this out? – nu everest Nov 19 '14 at 04:32

2 Answers2

2

I believe that from Django 1.4 onwards you can just set SECURE_SSL_REDIRECT = True in your settings.py file

keithhackbarth
  • 121
  • 3
1
  1. Setup your AWS ELB mapping ELB:80 to instance:80 and ELB:443 to instance:1443.
  2. Bind nginx to listen on port 80 and 1443.
  3. Forward requests arriving at port 80 to port 443.

aws elb setup

NGINX Setup

server {
   listen         80;
   server_name    www.example.org;
   rewrite        ^ https://$server_name$request_uri? permanent;
}

server {
   listen         1443;
   server_name    www.example.org;
}
nu everest
  • 907
  • 3
  • 13
  • 27