Django and SSL

[Venkatraman S]

Hi,

Am an SSL newbie and am trying to understand various facets of moving a webapp to ssl. Are there any learnings that the group can share w.r.t moving a django site to ssl? Any pitfalls or things to be careful about. Or is it a totally independent activity with no side effects on the application design and deployment.

Am referring to Philips's guide for now, but any other recommendations?

Regards,

Venkat

[Mike Dewhirst]

On 24/04/2014 5:35 PM, Venkatraman S wrote:
> Hi,
>
> Am an SSL newbie and am trying to understand various facets of moving a
> webapp to ssl. Are there any learnings that the group can share w.r.t
> moving a django site to ssl? Any pitfalls or things to be careful about.
> Or is it a totally independent activity with no side effects on the
> application design and deployment.

I suppose it depends on your site. In my case it was Apache rather than
nginx and pretty much all I had to do was establish a redirect so any
url with http://blah.blah went to https://... instead.

Check the source for specific mention of the protocol to be sure. If you
specify http://blah.blah anywhere you might wish to adjust that but you
can also rely on the redirect.

I found it refreshingly clean. Hats off to DRY and Django

Mike

>
> Am referring to Philips's guide

> <http://www.lognormal.com/blog/2013/06/22/setting-up-ssl-on-nginx/> for

> now, but any other recommendations?
>
> Regards,
> Venkat
>

> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAN7tdFR%2Bb_9W0TCDUJexKiztYuKk-kM2Ys%3DxnK7nK9vfL-CyLg%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAN7tdFR%2Bb_9W0TCDUJexKiztYuKk-kM2Ys%3DxnK7nK9vfL-CyLg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Erik Cederstrand]

Den 24/04/2014 kl. 09.35 skrev Venkatraman S <venk...@gmail.com>:

> Hi,
>
> Am an SSL newbie and am trying to understand various facets of moving a webapp to ssl. Are there any learnings that the group can share w.r.t moving a django site to ssl? Any pitfalls or things to be careful about. Or is it a totally independent activity with no side effects on the application design and deployment.

Make sure to move your static and media content to https, too. Even references to externally hosted files like jQuery or Bootstrap. Browsers don't like mixed http/https pages.

Erik

[Tim Chase]

On 2014-04-24 17:55, Mike Dewhirst wrote:
> I suppose it depends on your site. In my case it was Apache rather
> than nginx and pretty much all I had to do was establish a redirect
> so any url with http://blah.blah went to https://... instead.

If you're redirecting to HTTPS regardless of the URL used and never
serving content over HTTP(nonS), you might want to include HSTS
headers to allow the browser to cache your redirect for a specified
age. You can read up at

http://en.wikipedia.org/wiki/Strict_Transport_Security

and it's as simple as including one header in your response, and
then the browser knows that, even if the user types
"http://example.com" the browser should automatically change that to
be "https://example.com" even without talking to the server.

-tkc

[Venkatraman S]

And I prefer being on nginx + uWSGI.

[James Schneider]

Outside of the various guides for implementing SSL using various combinations like Apache/Nginx/uWSGI/GNUnicorn etc., there are only a few other things I would watch out for:

Ensure that your server (or hosting provider) has been patched against the Heartbleed vulnerability (CVE-2014-0160) in the recent versions of OpenSSL (almost all providers use Linux for their hosts, and all of those probably rely on OpenSSL libraries to handle the TLS encryption). If you don't know what I'm talking about, you probably shouldn't be running your own server (i.e. a VPS), yet. Any halfway decent hosting provider is already well aware and has implemented the proper patches for you.

Make sure that your site is generating internal links correctly, i.e., generating relative links rather than absolute URL's. If you are consistent in using the {% url %} tag, and none of your href= attributes start with "http://", it should be a seamless transition. Same goes for JavaScript calls or references to CDN's, etc.

Also, if your site may/can use different domain names, make sure to list all possibilities either in the CN or SAN fields in your CSR when requesting the certificate. Note that example.com and www.example.com are different domains when it comes to SSL certificates. Stay away from wildcard domain certificates if possible (i.e. *.example.com), be explicit. If you use a separate subdomain for static content (recommended), even on the same server, include that as well.

Good luck!

-James

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.

Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAN7tdFTq3Ly5YzgxaJCasSDc39T8eA3RUjMV2sNs-H-m01EfgQ%40mail.gmail.com.

[Venkatraman S]

On Sat, Apr 26, 2014 at 2:46 PM, James Schneider <jrschn...@gmail.com> wrote:

If you use a separate subdomain for static content (recommended), even on the same server, include that as well.

Thanks James. I did not know this(subdomain for static content) was recommended. Why?

Regards,

Venkat 

[James Schneider]

Using a separate sub domain future-proofs your site in the event it grows large and you need to split your dynamic and static content between servers. 

It also makes it easier to parse statistics from the logs. Most web log analyzers will handle a separate sub domain out of the box better than using a sub directory (although both should work fine if your log analysis tool is decent) when trying to determine hits to dynamic content vs. static content.

Don't stress on it for lower traffic sites though. Start with the basics and work your way up to fancy.

Just my personal thoughts. :-D

-James

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAN7tdFSzWbUm8ejN16exktHfTK2RjwPMZESKoTSDOPYYVFZC6g%40mail.gmail.com.