Django snippets: SSL Middleware for Webfaction

__license__ = "Python"
__copyright__ = "Copyright (C) 2007, Stephen Zabel, Jay Parlar"
__author__ = "Stephen Zabel - sjzabel@gmail.com"
__contributors__ = "Jay Parlar - parlar@gmail.com"

from django.conf import settings
from django.http import HttpResponseRedirect, HttpResponsePermanentRedirect, get_host

SSL = 'SSL'

def is_secure(request):
    if 'HTTP_X_FORWARDED_SSL' in request.META:
        return request.META['HTTP_X_FORWARDED_SSL'] == 'on'
    return False

class SSLRedirect:
    def process_view(self, request, view_func, view_args, view_kwargs):
        if SSL in view_kwargs:
            secure = view_kwargs[SSL]
            del view_kwargs[SSL]
        else:
            secure = False

        if not secure == is_secure(request):
            return self._redirect(request, secure)

    def _redirect(self, request, secure):
        protocol = secure and "https" or "http"
        newurl = "%s://%s%s" % (protocol,get_host(request),request.get_full_path())
        if settings.DEBUG and request.method == 'POST':
            raise RuntimeError, \
"""Django can't perform a SSL redirect while maintaining POST data.
Please structure your views so that redirects only occur during GETs."""

        #return HttpResponseRedirect(newurl)
        return HttpResponsePermanentRedirect(newurl) #I have not had time to test this, but it appears to work better.

NOTE Stephen updated his original snippet http://www.djangosnippets.org/snippets/85/ to work with WebFaction, please use his version now

This code is 95% from Stephen Zabel's snippet at http://www.djangosnippets.org/snippets/85/. However, his snippet, as it was, wouldn't work when enabling SSL for the admin site on Webfaction. For some reason, the default request.is_secure() doesn't behave properly with Webfaction's setup and redirects.

One thing Webfaction does do is add X-Forwarded-ssl='on' to any https requests. So instead of using request.is_secure(), I've just used that.

To setup the admin site with SSL on Webfaction, do the following:

Install this middleware wherever you like, and add it to settings.py
In your Webfaction panel, create your 'django' application ("application" in the Webfaction sense, not the Django sense)
Create two sites. The first, your main site (which I'll call example.com), should use the application 'django' mounted at '/'. Do not have HTTPS enabled on this site.
For the second site, also use the application 'django', and again mount it to '/', but this time enable HTTPS.
In your urls.py, modify the admin URL as follows: (r'^admin/', include('django.contrib.admin.urls'), {'SSL':True} )

That should be it! The admin section of the site now requires SSL (as specified in urls.py), and if anyone tries to access the admin via regular http, a redirect to https will occur.

Author:: parlar
Posted:: May 16, 2007
Language:: Python
Tags:: ssl webfaction
Score:: 6 (after 6 ratings)

Tools

Comments

sjzabel (on July 3, 2007):

Hey this is great. I modified it just slightly? What I would like to propose is that we check request.is_secure() in your is_secure() If that comes back as false then we use your test for the webfaction header. I think that having a single option for the end user that works in both cases is prolly a better solution.

If you have a chance... could you try out my change to the SSL Middleware code in your environment to make sure that it works correctly?

Thanks, Stephen

chrj (on July 4, 2007):

Wouldn't it make more sense to do this with a decorator? Either way it would be easy to add a decorator "frontend" to your middleware - and a nice feature :-)

sjzabel (on July 25, 2007):

Sorry to comment back so late... I actually originally wrote it as a decorator. but then I was left with having to add an @ssl and @notssl decorator to every action. Add in some @login_required and various permission decorators and it got messy vary fast.

IMO it also just "feels" like a better place to put it.

hal (on November 18, 2008):

SMALL UPDATE:

change : 'if not secure == is_secure(request):' to: 'if not secure == self._is_secure(request) and secure != 'keep':'

It will keep your current protocol, if you use 'keep' in view args.

Django snippets

SSL Middleware for Webfaction

Tools

Comments

Snippets

About