5

I am trying to redirect Http to Https in Django deployed on AWS Beanstalk. Http to Https works fine when I remove the health link from the load balancer. while having link in load balancer the app stops working.

I am using the following config in settings file in the Django project hosted on Aws Beanstalk.

CORS_REPLACE_HTTPS_REFERER = True
HOST_SCHEME = "https://"
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
Muneeb
  • 99
  • 8

3 Answers3

2

With SECURE_SSL_REDIRECT = True all non-secure requests will be redirected to https. Non-secure requests - ones done via http and with not matched SECURE_PROXY_SSL_HEADER.

Even if your load balancer performs http to https redirect by itself - it is good to have this option enabled in django and simplier (all security options enabled).

AWS ALB Health Checks cannot set custom headers. We can exclude requests to certain endpoints from being redirected to https with SECURE_REDIRECT_EXEMPT - [r'^health/$'].

AWS ALB Health Check requests are done to instance ip. To allow django process them - ip needs to be added to ALLOWED_HOSTS: ["172.16.2.5", "my.example.com"]. This needs to be instance private ip, one that will be used by ALB to reach it.

This can be done with:

  • Adding instance ip on instance start like in example. It can also be done with custom scripts and environment variables.

  • using custom middleware which allows adding ip ranges in ALLOWED_HOSTS and add VPC Subnet range or implement custom middleware manually

AWS ALB cannot add HSTS headers. If you want to use Strict Transport Security headers - they should be added on app django side. This can be done with setting SECURE_HSTS_SECONDS other than zero.

HSTS headers are only added on responses to secure requests (https:// or SECURE_PROXY_SSL_HEADER match).

Oleg Russkin
  • 4,234
  • 1
  • 8
  • 20
  • Have tried by adding IP and also and the other way too. didn't work for me. – Muneeb Jan 14 '20 at 11:54
  • Have you tried adding health check path to `SECURE_REDIRECT_EXEMPT` (edited answer, had typo in name) and adding instance ip to `ALLOWED_HOSTS`? – Oleg Russkin Jan 14 '20 at 12:06
  • Yes, I applied all these options. but it didn't work – Muneeb Jan 14 '20 at 13:05
  • Have solved my problem. I was inserting public IP in the allowed host but there I must need to put Private IP in the allowed host. Thank you so much for your answer. – Muneeb Jan 15 '20 at 05:50
1

I had the same problem and I fixed it with a middleware (python 3.x):

production settings.py:

MIDDLEWARE = ['market.middleware.ELBHealthChecker_middleware'] + MIDDLEWARE

ELB middleware:

def ELBHealthChecker_middleware(get_response):

    def middleware(request):
        response = get_response(request)
        if "ELB-HealthChecker" in request.META["HTTP_USER_AGENT"]:
            from django.http import HttpResponse
            return HttpResponse(status=200)
        return response
    return middleware
Quaid
  • 333
  • 1
  • 8
  • you just need to add private ip of ec2 to in allowed hosts array. It solved my problem in past. – Muneeb Aug 25 '20 at 07:30
-1
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True

These have worked for me in the past.

Slyme
  • 75
  • 2
  • 16
  • 1
    I am already using this. It is fine for redirection of requests but when I add health link in Elastic Beanstalk the application health on Elastic Beanstalk gets severe and the app stops working. – Muneeb Jan 15 '20 at 03:59