Apache/mod_wsgi和Django上的HTTPS和HSTS [英] HTTPS and HSTS on Apache/mod_wsgi and Django
问题描述
我正在为Django 1.8项目设置站点范围的HTTPS.我没有网络安全方面的经验.
I'm setting up site-wide HTTPS for my Django 1.8 project. I am not experienced in web security.
我正在将HTTP设置为HTTPS重定向和HSTS.
I'm setting up HTTP to HTTPS redirect and HSTS.
现在,我正在Apache/mod_wsgi Web服务器上进行配置(我使用的是PaaS,因此我是通过WSGI根目录上的.htaccess文件进行配置的):
Right now, I was configuring this on my Apache/mod_wsgi Web Server (I'm using a PaaS so I configure it through the .htaccess file on the WSGI root):
wsgi/.htaccess
# Redirect HTTP to HTTPS
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# Add HSTS header
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Deny rendering inside an iframe
Header always set X-Frame-Options DENY
根据Django官方文档SSL 建议 ,我正在生产环境中保护Cookie:
As per the Django official docs SSL recommendations, I'm securing the cookies in my production settings:
设置/prod.py
...
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
...
注意:我尚未设置SECURE_PROXY_SSL_HEADER = (HTTP_X_FORWARDED_PROTO, https),因为我不确定PaaS是否正在代理并在代理和Web容器之间剥离此标头.
Note: I'm not setting SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") yet, because I'm not sure yet if the PaaS is proxying and stripping this header between the proxy and the web container.
Django (as of 1.8) now comes with it's security middleware(from old django-secure), which implements SSL redirects, and handles HSTS header and other nice things.
我应该让Django处理所有HTTPS重定向/HSTS配置,还是在Web服务器级别进行处理?每种选择对安全性/性能有何影响?
已读/已使用的参考文献:
References read/used:
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://garron.net/crypto/hsts/hsts-2013.pdf
https://mozilla.github.io/server- side-tls/ssl-config-generator/
http://www.marinamele .com/2014/09/security-on-django-app-https-everywhere.html
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGIND_and_Light
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
https://docs.djangoproject.com/en/1.8/topics/安全/
推荐答案
距您提出问题已有一段时间了.无论如何,我也面临着类似的疑问. 文档不确定我们是否应该在应用程序级别或在Web服务器上:
It's been a while since you've asked the question. Anyway, I faced similar doubts. The documentation is ambiguous whether we should enable HSTS at the app level or on a web server:
HSTS可以使用SECURE_HSTS_SECONDS,SECURE_HSTS_INCLUDE_SUBDOMAINS和SECURE_HSTS_PRELOAD进行配置,也可以在Web服务器上进行配置.
HSTS may either be configured with SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD, or on the Web server.
部署清单(manage.py check --deploy)建议在生产中设置 SECURE_HSTS_SECONDS .
The deployment checklist (manage.py check --deploy) suggests to set SECURE_HSTS_SECONDS on production.
另一方面, Django书指出:
HSTS通常是在Web服务器上配置的.
HSTS is usually configured on the web server.
考虑到安全性,服务器设置和django中间件都做同样的事情.他们在响应标头中设置了严格传输安全性".我相信Web服务器比django中间件具有更好的性能,尽管我尚未对其进行测试.
Considering security, both server set up and django middleware do the same thing. They set up "Strict-Transport-Security" in response Header. I believe that web servers have a better performance than django middleware, though I haven't tested it.
此外, Django的两个独家新闻建议最好将HTTPS重定向设置重定向到Web服务器:
Also, Two Scoops of Django suggests that it is better to put HTTPS redirects settings to a web server:
在性能方面,最好在网络服务器级别执行此操作(第347页)
Performance-wise, it’s better to do this at the web server level (p. 347)
这篇关于Apache/mod_wsgi和Django上的HTTPS和HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
