8

I would like to use smart card based authentication on the Django development server, as it is the universally accepted means of authentication where I live.

With Apache i can enable it by creating a .htaccess file in the directory that requires authentication:

SSLVerifyClient require
SSLVerifyDepth 2

And in the virtual host:

    <Directory /var/www/www/secure>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride AuthConfig Options
            Order allow,deny
            allow from all
    </Directory>

And by referring to the certificates and revocation lists like this:

SSLCACertificateFile  /etc/apache2/certificate.crt
SSLCARevocationPath /etc/apache2/crl

It's quite annoying not having this functionality for testing and development purposes in Django. Any ideas on how to set it up?

Edit: thanks for your answer, Martin, but it has not really helped gotten me where I want, yet. Anyways, now I have opened a bounty for someone to answer the question by providing a small piece of example code/or more clarification on what to read or where to start.

Uku Loskit
  • 40,868
  • 9
  • 92
  • 93

4 Answers4

4

This answer kind of piggy backs on Martin's answer. You could use something like Fabric http://docs.fabfile.org/0.9.4/ to automate setting up the dev environment apache+wsgi.

Obviously this has some up front time/cost to it but after it is done you'll be able to set up as many environments as you want quickly and easily.

You could couple that with watcher http://www.splitbrain.org/blog/2011-01/07-watcher_a_recursive_incron_alternative to automatically touch your wsgi file and reload your environment everytime you make a change.

James
  • 281
  • 3
  • 8
3

SSL capabilities of the development server (or Python in general) are AFAIK quite mediocre. Maybe this has changed recently with newer Python and Django versions, but I doubt it.

You don't need the SSL authentication capabilities in the development server actually. The simplest would be mimicking Apache if you'll be deploying to Apache, with a custom WSGI middleware that would set the same variables (don't rely on mod_ssl certificate parsing, the easiest is to export the authenticated certificate to the environment and use that, for further OCSP or CRL checks for example) and would make your application behave just like you would be authenticated with a client certificate. This approach also allows to run some tricky tests, like what happens if the user has characters like ÕÄÖÜŽŠ etc in the name by using mock certificates.

Martin Paljak
  • 4,119
  • 18
  • 20
3

Why don't you run your development environment with apache? There is nothing apache can not do for you that django dev server can. You can actually set up automatic code changes pickup as it is very convenient for the development purposes, you can read more about this here if you use wsgi: http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode

Alexander Finn
  • 781
  • 4
  • 11
  • this is a simple, but a good solution. Yet, maybe I'm demanding too much, but setting up an apache virtual host+mod_wsgi on every person's machine that's developing the app is lot more effort than just running manage.py runserver. Of course, atm I'm the only one developing this, so it isn't much of a problem. – Uku Loskit Feb 25 '11 at 14:51
  • You could set up apache properly once and then use your bash history to create a script for the other "future" team members... – RyanBrady Mar 02 '11 at 16:58
0

Running SSL with nginx+green unicorn+django in your development environment is really easy. Basically you just need to:

  1. pip install gunicorn
  2. instead of runserver do run_gunicorn
  3. apt-get install nginx (or port install nginx +ssl or whatever, depending on the OS you are running on.)
  4. configure your nginx. Here's an example

...and if you want to use SSL client authentication, see my project, django_ssl_auth on github.

Kimvais
  • 38,306
  • 16
  • 108
  • 142