SSL Middleware for Webfaction

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
__license__ = "Python"
__copyright__ = "Copyright (C) 2007, Stephen Zabel, Jay Parlar"
__author__ = "Stephen Zabel - sjzabel@gmail.com"
__contributors__ = "Jay Parlar - parlar@gmail.com"

from django.conf import settings
from django.http import HttpResponseRedirect, HttpResponsePermanentRedirect, get_host

SSL = 'SSL'

def is_secure(request):
    if 'HTTP_X_FORWARDED_SSL' in request.META:
        return request.META['HTTP_X_FORWARDED_SSL'] == 'on'
    return False

class SSLRedirect:
    def process_view(self, request, view_func, view_args, view_kwargs):
        if SSL in view_kwargs:
            secure = view_kwargs[SSL]
            del view_kwargs[SSL]
        else:
            secure = False

        if not secure == is_secure(request):
            return self._redirect(request, secure)

    def _redirect(self, request, secure):
        protocol = secure and "https" or "http"
        newurl = "%s://%s%s" % (protocol,get_host(request),request.get_full_path())
        if settings.DEBUG and request.method == 'POST':
            raise RuntimeError, \
"""Django can't perform a SSL redirect while maintaining POST data.
Please structure your views so that redirects only occur during GETs."""

        #return HttpResponseRedirect(newurl)
        return HttpResponsePermanentRedirect(newurl) #I have not had time to test this, but it appears to work better.

Comments

sjzabel (on July 3, 2007):

Hey this is great. I modified it just slightly? What I would like to propose is that we check request.is_secure() in your is_secure() If that comes back as false then we use your test for the webfaction header. I think that having a single option for the end user that works in both cases is prolly a better solution.

If you have a chance... could you try out my change to the SSL Middleware code in your environment to make sure that it works correctly?

Thanks, Stephen

#

chrj (on July 4, 2007):

Wouldn't it make more sense to do this with a decorator? Either way it would be easy to add a decorator "frontend" to your middleware - and a nice feature :-)

#

sjzabel (on July 25, 2007):

Sorry to comment back so late... I actually originally wrote it as a decorator. but then I was left with having to add an @ssl and @notssl decorator to every action. Add in some @login_required and various permission decorators and it got messy vary fast.

IMO it also just "feels" like a better place to put it.

#

hal (on November 18, 2008):

SMALL UPDATE:

change : 'if not secure == is_secure(request):' to: 'if not secure == self._is_secure(request) and secure != 'keep':'

It will keep your current protocol, if you use 'keep' in view args.

#

spookylukey (on August 28, 2009):

I think it would be much better to create a separate middleware for WebFaction which fixes the request object so that HttpRequest.is_secure() actually works. There are other places in Django that might rely on HttpRequest.is_secure() returning a correct value. I'll see if I can hack up a solution for this.

#

spookylukey (on August 28, 2009):

OK, my attempt at fixing WebFaction is here: http://www.djangosnippets.org/snippets/1706/

Then, this middleware doesn't have to have WebFaction specific hacks.

#

(Forgotten your password?)

You may use Markdown syntax here, but raw HTML will be removed.