1

I set several settings as django document said, but i got two problem:

  1. SecurityMiddleware didn't work
  2. once SECURE_SSL_REDIRECT = True website will can't be visited

SecurityMiddleware supposed to set Strict-Transport-Security: max-age=31536000; includeSubDomains is responde header, but i check by chrome F12 , response header is like that:

Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Thu, 13 Jun 2019 02:18:17 GMT
Server: openresty/1.15.8.1
Set-Cookie: uid=e59e2b54f7d64a6799b0f160dc80fae6; expires=Sun, 10 Jun 2029 02:18:17 GMT; HttpOnly; Max-Age=315360000; Path=/
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN

no Strict-Transport-Security in it

i use nginx to redirect , but i still wondering why SECURE_SSL_REDIRECT = True cause website unavliabe to visit, and if this setting has other affect? chrome shows ERR_TOO_MANY_REDIRECTS

django settings:

MIDDLEWARE = [
   # 'django.middleware.cache.UpdateCacheMiddleware',
    'blog.middleware.user_id.UserIDMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ALLOWED_HOSTS = ['www.xxxxxx.club']

#SECURE_SSL_REDIRECT = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
mark
  • 103
  • 9

1 Answers1

5

I figure this two problems out, two problems caused by same reason. i use nginx as proxy and set redirery HTTP to HTTPS in nginx, but

the proxy may be “swallowing” the fact that a request is HTTPS, using a non-HTTPS connection between the proxy and Django

so django always get HTTP request, while setting SECURE_SSL_REDIRECT = True all http redirect to HTTPS, but all these HTTPS will again became http between the proxy and Django, that is the reason cause infinity redirect.

if SECURE_SSL_REDIRECT = False django won't redirect http from nginx, and django will only set strict-transport-security in HTTPS response header, that why even though my browser receive https response (by nginx, no django), no strict-transport-security in response header so i changed some settings:

  1. set SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') in django settings
  2. set proxy_set_header X-Forwarded-Proto $scheme; in location inside 443 port of nginx conf

https://github.com/richardcornish/django-removewww/issues/1 https://docs.djangoproject.com/en/2.1/ref/settings/#std:setting-SECURE_PROXY_SSL_HEADER https://stackoverflow.com/a/41488430/11350098

mark
  • 103
  • 9
  • I head infinite redirects on daphne (too many redirects). Setting SECURE_SSL_REDIRECT = True was the reason making an issue with nginx. But I have set SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') instead, as you suggested and it works now. Thanks! Great solution. – sp_omer Oct 13 '19 at 18:22