2

I would like to know how to put my entire django site behind HTTPS. If anyone tries to come via HTTP I want that user to be redirected to HTTPS. Currently, firefox is giving me the error "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

My setup is :

1.One AWS load balancer (ELB) with an SSL cert.ificate The ELB has two listeners:

  • load balancer port 80 (HTTP) pointing to instance port 80 (HTTP)
  • load balancer port 443 (HTTPS) pointing to instance port 80 (HTTP)

2.One EC2 instance behind the ELB running nginx/uWSGI

nginx configuration

server { listen 80; return 301 https://$host$request_uri; } server { listen 443 ssl; set $home /server/env.example.com; client_max_body_size 10m; keepalive_timeout 120; location / { uwsgi_pass uwsgi_main; include uwsgi_params; uwsgi_param SCRIPT_NAME ""; uwsgi_param UWSGI_CHDIR $home/project; uwsgi_param UWSGI_SCRIPT wsgi; uwsgi_param UWSGI_PYHOME $home; } }

uwsgi configuration

# file: /etc/init/uwsgi.conf description "uWSGI starter" start on (local-filesystems and runlevel [2345]) stop on runlevel [016] respawn exec /usr/local/sbin/uwsgi \ --uid www-data \ --socket 127.0.0.1:5050 \ --master \ --logto /var/log/uwsgi_main.log \ --logdate \ --optimize 2 \ --processes 8 \ --harakiri 120 \ --vhost \ --no-site \ --post-buffering 262144

3.Django settings file has the following settings specific to SSL/HTTPS

SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True

Any ideas how to properly setup HTTPS?

Thanks

Improve this question
5
  • serverfault.com/questions/67316/… Commented Jan 16, 2013 at 7:20
  • @Grumpy: I followed the instructions on the link but could not get it to work behind an ELB. The browser communicates with the ELB via HTTPS and the the ELB uses HTTP to communicate with the EC2 instance. Not sure if the response from the EC2 instance back to the ELB remains secure before it gets sent back to the browser via HTTPS. Commented Jan 17, 2013 at 4:23
  • Can someone tell me if I redirect to HTTPS do I need to provide SSL info in the Nginx config file? I would like to maintain the SSL cert on the ELB rather than each EC2 instance to cut maintenance efforts. Commented Jan 17, 2013 at 4:35
  • 2
    @BinaryMaze the answer is no. ELB is an HTTPS terminator if configured with an SSL certificate, meaning (as described above) that all traffic on your app servers is simple HTTP. However, you want to upgrade all traffic to HTTPS right? The question is, how do we know which traffic came through HTTPS? That’s what the X-Forwarded-Proto header is for. ELB will set this to the protocol used. Have your framework respond with redirects when this header has a value that is not "https". Commented May 1, 2013 at 10:32
  • Did you figure this out? Commented Nov 19, 2014 at 4:32

2 Answers 2

Reset to default
2

I believe that from Django 1.4 onwards you can just set SECURE_SSL_REDIRECT = True in your settings.py file

Improve this answer
1
  1. Setup your AWS ELB mapping ELB:80 to instance:80 and ELB:443 to instance:1443.
  2. Bind nginx to listen on port 80 and 1443.
  3. Forward requests arriving at port 80 to port 443.

aws elb setup

NGINX Setup

server { listen 80; server_name www.example.org; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 1443; server_name www.example.org; }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.