Django and SSL

71 views
Skip to first unread message

pythonista

unread,
Dec 10, 2014, 11:55:15 AM12/10/14
to django...@googlegroups.com
I am getting a request from the security infrastructure and I could use some advice/recommendation.

This is a 3 tier application.

Apache/Django/Sql Server

Apache is https and there is a proxy server between.

The security team is saying that the communication from Django should also be ssl encrypted in case the proxy server goes down.

1. Can Django be made hardened via ssl?
2. Doesn't Apache and the Proxy server provide sufficient security so that ssl / django is not required?

3. If the Proxy server goes down I can test some header responses to determine if the call is from a secure call and from the expected server
     If such security is required is that not sufficient?

Thanks in advance.

Brian Schott

unread,
Dec 10, 2014, 12:30:14 PM12/10/14
to Django-Users
Hopefully you aren’t using Django runserver command for actually running Django.  This is really a configuration question relating to your WSGI application server.  Gunicorn is popular and supports SSL.  

http://gunicorn-docs.readthedocs.org/en/latest/settings.html#ssl

Brian Schott



--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/611a928d-b3bf-4672-b850-591d62b7d350%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

pythonista

unread,
Dec 10, 2014, 1:22:34 PM12/10/14
to django...@googlegroups.com
Is there a need for ssl if apache (https) and a proxy are between django and the outside world.

Doesn't the apache server/proxy provide a sufficient layer of security.
isn't it true that the data is being served through the server securely via https?

Thanks

Javier Guerra Giraldez

unread,
Dec 10, 2014, 1:32:25 PM12/10/14
to django...@googlegroups.com
On Wed, Dec 10, 2014 at 1:22 PM, pythonista
<software....@gmail.com> wrote:
> Is there a need for ssl if apache (https) and a proxy are between django and
> the outside world.


if they're serving Django with apache, they should be using mod_wsgi,
in that case not only there's no more needs for SSL, there's no space
for SSL between apache and Django.

--
Javier

Erik Cederstrand

unread,
Dec 11, 2014, 7:04:59 AM12/11/14
to Django Users
> Den 10/12/2014 kl. 17.55 skrev pythonista <software....@gmail.com>:
> 1. Can Django be made hardened via ssl?

"Django" is actually your WSGI server (gunicorn, uwsgi etc.).

> 2. Doesn't Apache and the Proxy server provide sufficient security so that ssl / django is not required?

Apache *is* the proxy server in this case. Your WSGI server should be running on an IP address that's never reachable from the external network, even if Apache disappears. Either loopback if Apache and WSGI are on the same server, or internal firewalled IP if not.

> 3. If the Proxy server goes down I can test some header responses to determine if the call is from a secure call and from the expected server
> If such security is required is that not sufficient?

That's what firewalls are for. Block port 80 if security only allows HTTPS traffic to your website.

Erik
Reply all
Reply to author
Forward
0 new messages