bpssl 1.0 documentation

2. Limiting access to secure requests

«  1. Installation   ::   Contents   ::   3. Settings  »

2. Limiting access to secure requests

2.1. Limiting Access via URLs

One way to specify which requests should be treated as secure is to identify them by url. This way setting entire sets of urls to be secure is easy and maintenance is fairly painless.

For instance one might want to set all of a user’s account information to be accessed via secure requests so you could set all urls under /accounts/ to be secure urls. The same might apply for making payments under /payment or some other such scheme.

2.1.1. Using the SSLRedirectMiddleware

class beproud.django.ssl.middleware.SSLRedirectMiddleware

Using the SSLRedirectMiddleware you can add secure request redirection over your whole site.

SSLRedirectMiddleware uses a setting called SSL_URLS to determine which urls will be accessed via SSL (HTTPS). You set this setting the in your settings.py. SSL_URLS is a list of regular expressions that are checked against the request url as it is found in request.path_info. If one of the regular expressions matches then the URL is treated as a secure url and non-secure accesses are redirected to the secure url. For instance, using the setup below if a request is recieved for the url http://www.example.com/login/, the user will be redirected to https://www.example.com/login/ because the url matches a the SSL_URLS settings. The paths matched against the regular expression are different from urls.py in that they start with a ‘/’ so keep that in mind.

SSL_URLS = (
    '^/login/',
    '^/purchase/'
    # ...
)

In case there are some urls you want to be accessable via HTTP or HTTPS, you can set those in the SSL_IGNORE_URLS setting. For instance, static files served by your application or i18n javascript would typically be accessable via both HTTP and HTTPS. SSL_IGNORE_URLS is defined exactly like SSL_URLS.

SSL_IGNORE_URLS = (
    '^/i18n_js$',
    '^/static/',
    # ...
)

SSLRedirectMiddleware does the following:

  • If the request url matches a url in SSL_IGNORE_URLS then do nothing.
  • If the request url matches a url in SSL_URLS and the request is not-secure then the user is redirected to the secure version of the page.
  • If the request url does not match a url in SSL_URLS and the request is secure then the user is redirected to the non-secure version of the page.

Note

Secure requests to non-secure pages are redirected to the non-secure url because pages that can be accessed via multiple urls can confuse search engines and is not particularly RESTful.

2.2. Limiting Access to Views

One might also want to limit access to particular views because they encapsulate some kind of functionality that should be accessed in a secure way. Multiple urls could be accessing this view so it may not make sense to maintain the security settings as URLs.

2.2.1. The RAW Way

Because some urls may change or multiple urls could be handled by the same view, you may want to limit access to secure requests at the view level. The simple raw way to limit access to pages to secure requests is to check request.is_secure() to see if the request is secure:

from django.http import HttpResponseRedirect
from django.http import get_host

def my_secure_view(request):
    if request.is_secure():
        return HttpResponseRedirect("https://%s%s" % (get_host(request), request.get_full_path()))
    # ...

However, by limiting access this way the SSLRedirectMiddleware has no way of knowing that the page is secure and thus may conflict with your view unless you add the URL to SSL_IGNORE_URLS.

2.2.2. The ssl_view decorator

beproud.django.ssl.decorators.ssl_view()

As a shortcut the ssl_view() decorator is provided to indicate that your view should be restricted to secure requests. Example:

from beproud.django.ssl.decorators import ssl_view

@ssl_view
def my_secure_view(request):
    ...

ssl_view() implements the same functionality as the SSLRedirectMiddleware but works without having to set the URL in SSL_URLS. SSLRedirectMiddleware will also recognize views using the ssl_view() decorator and won’t conflict with your view.

2.3. Using an HTTP Reverse Proxy

class beproud.django.ssl.middleware.SSLProxyMiddleware

SSLProxyMiddleware will update the request object to make sure that request.is_secure() returns true when processing a secure request from a properly set up HTTP reverse proxy server. See Web Server Setup for more info on how to set up reverse proxy web servers to work with SSLProxyMiddleware.

You will need to set the SSL_REQUEST_HEADER setting to the name and value of the header you use to pass whether a request is secure or not. The default value of this setting is shown below:

SSL_REQUEST_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')

SSLProxyMiddleware does the following:

Note

SSLProxyMiddleware should be set as early as possible in your MIDDLEWARE_CLASSES setting so that any middleware which looks at request.is_secure() will get the right value. At the very least it should be before your SSLRedirectMiddleware.

«  1. Installation   ::   Contents   ::   3. Settings  »