how to make https work in django REST framework

[zhenwu he]

Hi, There:

Currently I am using Python Django as my REST framework and it could take all the calls through http. If I want to switch from http to https, what should I do to make this work?

thanks in advance.

/zhenwu 

[Luca Corti]

On 12/feb/2014, at 00:36, zhenwu he <zhen...@gmail.com> wrote:
> Currently I am using Python Django as my REST framework and it could take all the calls through http. If I want to switch from http to https, what should I do to make this work?

Just issue a redirect to the equivalent HTTPS url from your web server when the REST API url is called via plain HTTP.

ciao

Luca

[zhenwu he]

Thanks for your help, Luca. 

Could you elaborate a little bit? I am kind of new to this kind of thing. What I am doing is that, I am using django to redirect all url calls to python API to handle something and then return as response. you want me to redirect this http call to where? and where do I setup this redirect? in django? BTW, I am using manage.py run server 0:xxxx, and it started listening to http port.

thanks.

/zhenwu

[Erik Cederstrand]

Den 13/02/2014 kl. 06.16 skrev zhenwu he <zhen...@gmail.com>:

>
> Thanks for your help, Luca.
>
> Could you elaborate a little bit? I am kind of new to this kind of thing. What I am doing is that, I am using django to redirect all url calls to python API to handle something and then return as response. you want me to redirect this http call to where? and where do I setup this redirect? in django? BTW, I am using manage.py run server 0:xxxx, and it started listening to http port.

runserver doesn’t support HTTPS. You need to run a real webserver like Apache to start serving HTTPS requests, or at least install stunnel (http://stackoverflow.com/questions/8023126/how-can-i-test-https-connections-with-django-as-easily-as-i-can-non-https-connec).

To tell your users that you are now serving everything over HTTPS instead of HTTP, tell your webserver to redirect everything. This is for Apache:

<VirtualHost *:80>
[...]
ServerName example.com
RewriteEngine On
RewriteRule ^/(.*)$ https://example.com/$1 [R=301]
</VirtualHost>


You could also do the redirection in Django by looking at HttpRequest.is_secure(), if your redirection logic is more complicated.


Erik

[Luca Corti]

Il 2014-02-13 06:16 zhenwu he ha scritto:
> Thanks for your help, Luca.
>
> Could you elaborate a little bit? I am kind of new to this kind of
> thing. What I am doing is that, I am using django to redirect all url
> calls to python API to handle something and then return as response.
> you want me to redirect this http call to where? and where do I setup
> this redirect? in django? BTW, I am using manage.py run server 0:xxxx,
> and it started listening to http port.

I'm guessing you have already setup your Django app behind a webserver
(Apache, nginx + uwsgi, whatever).
I'm also assuming you have already set up an HTTPS virtualhost in your
webserver to serve at least your REST API urls.

If I understand correctly, you want to avoid API access using standard
HTTP. So what you can do is, when accessing any webservice URL, redirect
the request via HTTP 301 to the equivalent HTTPS url.

With nginx you can easily do this in your HTTP virtualhost configuration
with something like

...

location /your-REST-URL-endpoint {
rewrite ^(.*) https://www.example.com$1 permanent;
}

...

ciao

Luca

[zhenwu he]

Thanks Eric for your help.

Basically, user has to send REST API to apache using https, and then apache redirect this call to django using http. Should I config anything on django besides configuration redirect on apache. Based on what you are saying, I do not need config anything on django side. thanks.

/zhenwu

[zhenwu he]

Thanks Luca.

Yeah, I have https setup, but that is for UI, not for REST, the REST is purely handled by django run server port. Based on Eric's comment, it seems that I need change user to send request to apache using https, and then I need config redirect on apache to django. then django will handle the call and return to apache and then apache response to user. 

Thanks again for your help. let me try to set it up to see it works.

thanks.

/zhenwu

[zhenwu he]

Hi, Eric:

After thinking further, I am a little lost. :(

Here is my understanding. 

1, I need have django run server running, for example, listen to port 1234

2, I enable https on apache, which is listening to 443. then I redirect all connections to 443 to port 1234 using config you provided.

Am I understanding correctly? based on your config, it seems that we are trying to redirect any request to port 80 to https, which is different from my step 1 and 2.

thanks.

/zhenwu

[C. Kirby]

Zhenwu,

You only mentioned it in passing in the last post, but did you say you are running django in production via the manage.py runserver command? You _really_ shouldn't use runserver in production. You should be using a webserver (I guess apache in your case) and wsgi to serve up django. 

[zhenwu he]

Thanks Kirby.

You meant merge django into apache? ok, let me see what I can do. thanks.

/zhenwu

[C. Kirby]

Use the django deployment docs for a howto: https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/

[zhenwu he]

Thank you! working on it. thanks.

/zhenwu

[zhenwu he]

Thanks all for your help. Finally we figured out how to do it from the doc link Kirby provided. Really appreciated your help.

thanks.

/zhenwu

[sham khan]

Hi Zhenwu,

May you share the details of how you got this working? 

Regards,

Shamim

[subin]

Thanks for your message! An expert will get back to you very soon. In the meantime

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/742e4785-0760-4872-85dd-eb65d80e0bddn%40googlegroups.com.