如何在Django-auth生成页面中启用https? [英] How to enable https in Django-auth generated pages?
问题描述
使用 Django-auth 应用程序(Django版本1.3),我想让我的登录页面进入 https://mysite.com/login/ 。目前,我正在使用:
Using the Django-auth application (Django version 1.3), I want to have my login page go to https://mysite.com/login/. Currently, I'm using:
# urls.py
from django.contrib.auth.views import login
urlpatterns = patterns('', url(r'^login/$', login, name='login-view'),)
# navbar.html
<li id="nav-login"><a href="{% url login-view %}" ><b>Login</b></a></li>
哪些工作很好,但是去 http://mysite.com/登录/ 。
which works nicely, but goes to http://mysite.com/login/.
有没有办法告诉Django-auth使用什么前缀(https),当它反转视图名称?我已经阅读了整个手册页,并没有找到任何涵盖它的内容。或者也许可以通过网址标签来查看https?
Is there some way to tell Django-auth what prefix (https) to use, when it reverses the view name? I've read the entire manual page, and haven't found anything that covers it. Or maybe some way to tell the url tag to go to https?
或者是手动指定整个网址的唯一选项?我希望不会:)而且,鉴于Django迄今为止有多强大,我不敢相信它不会有这样的能力 - 我一定是忽视它。 :
Or is the only option to specify the entire URL manually? I hope not :) And given how powerful Django has been so far, I can't believe it wouldn't have that ability - I must be overlooking it. :)
推荐答案
将OS环境变量设置为
需要在' HTTPS 到',所以django将前缀https完全生成链接(例如,像 HttpRedirectRequest s)。如果您使用mod_wsgi,可以添加以下行:
Set OS environmental variable HTTPS to on
You need to enable the OS environmental variable HTTPS to 'on' so django will prepend https to fully generated links (e.g., like with HttpRedirectRequests). If you are using mod_wsgi, you can add the line:
os.environ['HTTPS'] = "on"
到您的 wsgi脚本。您可以通过阅读 django / http / __ init __。py :
to your wsgi script. You can see the need for this by reading django/http/__init__.py:
def build_absolute_uri(self, location=None):
"""
Builds an absolute URI from the location and the variables available in
this request. If no location is specified, the absolute URI is built on
``request.get_full_path()``.
"""
if not location:
location = self.get_full_path()
if not absolute_http_url_re.match(location):
current_uri = '%s://%s%s' % (self.is_secure() and 'https' or 'http',
self.get_host(), self.path)
location = urljoin(current_uri, location)
return iri_to_uri(location)
def is_secure(self):
return os.environ.get("HTTPS") == "on"
保护您的Cookie
在 settings.py 放线
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
,Cookie只能通过HTTPS连接发送。另外,您可能还需要 SESSION_EXPIRE_AT_BROWSER_CLOSE = True 。请注意,如果您使用旧版本的django(小于1.4),则没有安全的CSRF Cookie的设置。作为快速修复,您可以通过编辑 django / middleware / c $ c会话cookie安全(: SESSION_COOKIE_SECURE = True )使CSRF cookie安全csrf.py
and cookies will only be sent via HTTPS connections. Additionally, you probably also want SESSION_EXPIRE_AT_BROWSER_CLOSE=True. Note if you are using older versions of django (less than 1.4), there isn't a setting for secure CSRF cookies. As a quick fix, you can just have CSRF cookie be secure when the session cookie is secure (SESSION_COOKIE_SECURE=True), by editing django/middleware/csrf.py:
class CsrfViewMiddleware(object):
...
def process_response(self, request, response):
...
response.set_cookie(settings.CSRF_COOKIE_NAME,
request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52,
domain=settings.CSRF_COOKIE_DOMAIN,
secure=settings.SESSION_COOKIE_SECURE or None)
在Web服务器中直接HTTP请求到HTTPS
接下来,您需要一个重写规则,将http请求重定向到https,例如,在nginx
Direct HTTP requests to HTTPS in the webserver
Next you want a rewrite rule that redirects http requests to https, e.g., in nginx
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
Django的 reverse function而url模板标签只返回相关链接;因此,如果您使用的是https页面,您的链接将保留在https站点上。
Django's reverse function and url template tags only return relative links; so if you are on an https page your links will keep you on the https site.
这篇关于如何在Django-auth生成页面中启用https?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
