subject:"\[Django\] #16046\: Document best practices around using request.is_secure\(\) in reverse proxy environments"

Re: [Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

2012-12-16 Thread Django

#16046: Document best practices around using request.is_secure() in reverse 
proxy
environments
---+
 Reporter:  adamnelson |Owner:  nobody
 Type:  New feature|   Status:  closed
Component:  Documentation  |  Version:  1.3
 Severity:  Normal |   Resolution:  fixed
 Keywords: | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by aaugustin):

 * status:  new => closed
 * type:  Cleanup/optimization => New feature
 * resolution:   => fixed
 * stage:  Someday/Maybe => Accepted


Comment:

 As far as I can tell, 61f0aff811aa596fa62136852c59d47f988d1185 covers
 this.

 There's extensive documentation for the `SECURE_PROXY_SSL_HEADER` setting.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

2011-05-17 Thread Django

#16046: Document best practices around using request.is_secure() in reverse 
proxy
environments
-+-
   Reporter: |  Owner:  nobody
  adamnelson | Status:  new
   Type: |  Component:  Documentation
  Cleanup/optimization   |   Severity:  Normal
  Milestone: |   Keywords:
Version:  1.3|  Has patch:  0
 Resolution: |Needs tests:  0
   Triage Stage: |  Easy pickings:  0
  Someday/Maybe  |
Needs documentation:  0  |
Patch needs improvement:  0  |
-+-
Changes (by lukeplant):

 * needs_docs:   => 0
 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * stage:  Unreviewed => Someday/Maybe


Comment:

 I'm going to accept as 'Maybe/Someday', on the basis that I don't know
 that there is a 'best-practices way'.

 The most commonly used method is to add a header like X-Forwarded-
 Protocol, but AFAICS it isn't so easy to configure common webservers to
 ensure that this header is not passed on if the request is not HTTPS i.e.
 stripping headers seems to be much harder. Without this ability, there is
 a big flaw in this method, because a MITM attack could add the header,
 fooling the web app into believing the request is secure.

 It is possible to use a custom header which is not guessable by 3rd
 parties. However, this is problematic. 1) It means that we have a piece of
 webserver configuration information that is now a secret, so you now have
 to keep your webserver config secret.  2) It is insecure in shared hosting
 scenarios, and these are pretty common with Django hosting e.g.
 !WebFaction.

 We don't want to document a best-practice that is actually impractical. If
 you can point us to something that is actually a good way of doing it,
 please do so.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

2011-05-17 Thread Django

#16046: Document best practices around using request.is_secure() in reverse 
proxy
environments
--+---
 Reporter:  adamnelson|  Owner:  nobody
 Type:  Cleanup/optimization  | Status:  new
Milestone:|  Component:  Documentation
  Version:  1.3   |   Severity:  Normal
 Keywords:|   Triage Stage:  Unreviewed
Has patch:  0 |  Easy pickings:  0
--+---
 As evidenced in these locations:

  * #14597
  * https://github.com/rossdakin/django-heroism
  * http://packages.python.org/django-middleware-extras/usage.html
  * http://yuji.wordpress.com/2008/08/15/django-nginx-making-ssl-work-on-
 django-behind-a-reverse-proxy/
  * #6548

 There is a need to document a best-practices way of handling an upstream
 django server (Gunicorn, etc...) behind a reverse proxy (Nginx, etc...)
 using the request.is_secure() method.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

Re: [Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

[Django] #16046: Document best practices around using request.is_secure() in reverse proxy environments

3 matches

Site Navigation

Mail list logo

Footer information