24

I am planning to sell products by charging credit cards thus using SSL will be critical for Django-powered website. And I am very naive for this.

My initial django setup plan was using Apache as the webserver and using mod_wsgi to communicate with Django, static media again served by Apache. All seemed good until SSL protocol comes to the plans.

I will be using SSL protocol for user account configuration pages, the whole purchase sequence and maybe at the django admin.

I have checked the official documentations and googled but answers are rather confusing.

  • What would be the recommended way of implementing SSL to this setup ?
  • Any suggestions to this first time SSL implementer to a website ?
  • From this page, it seems like they have included Nginx to the stack. Couldn't it be done without it ?

Thanks

Hellnar
  • 62,315
  • 79
  • 204
  • 279

3 Answers3

28

I have deployed Django apps on SSL using Apache's mod_ssl and mod_wsgi.

I am no Apache expert, but here's how I setup SSL for one site (put the directives below in the httpd.conf file, or in a file referenced from that file, for instance in the sites-enabled directory, if that is used in your Apache installation). See the first documentation link below for how to create and use a self-signed certificate.

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/certificatefile.crt
    SSLCertificateKeyFile /etc/apache2/ssl/certificatekeyfile.crt

    WSGIScriptAlias / /path/to/file.wsgi
</VirtualHost>

Documentation links:

codeape
  • 97,830
  • 24
  • 159
  • 188
  • And if i want only django /admin/ urls to go via https? what do i have to add to your example of config? – Feanor Jun 28 '12 at 10:13
  • 1
    I guess the simplest way is to configure both the http and https sites with the same ``WSGIScriptAlias`` directive. Use a ``Redirect /admin`` in the https site config. – codeape Jun 29 '12 at 08:39
14

For those coming through Google, heres an example config for Nginx:

server {
    listen 443 ssl default;
    server_name example.com;
    ssl on;
    ssl_certificate /etc/nginx/server.crt;
    ssl_certificate_key /etc/nginx/server.key;
    add_header  Cache-Control "public, must-revalidate";
    # add_header  Cache-Control "no-cache";
    expires     1d;
    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

    location / {
        fastcgi_pass   localhost:8000;
        fastcgi_param PATH_INFO $fastcgi_script_name;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
        fastcgi_pass_request_headers on;
        # include fastcgi_params;
    }

    location /static {
        root /home/myapp/application;
    }

    location = /favicon.ico {
        root /home/myapp/application/assets;
        access_log off;
        log_not_found off;
    }

}
shaond
  • 544
  • 1
  • 6
  • 12
8

Django doesn't handle the SSL stuff. Apache will take care of that for you transparently and Django will work as usual. You can check for SSL in a view with request.is_secure().

However you must serve links where appropriate as https urls. You also may want to redirect certain http pages to https pages (like the django admin screen).

stefanw
  • 10,456
  • 3
  • 36
  • 34