-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create secure request when site port is 443 or SECURE_SSL_REDIRECT is set to True #25
Create secure request when site port is 443 or SECURE_SSL_REDIRECT is set to True #25
Conversation
@@ -88,8 +88,9 @@ def build_object(self, obj): | |||
""" | |||
site = obj.get_site() | |||
logger.debug("Building %s" % obj) | |||
secure_request = site.port == 443 or getattr(settings, 'SECURE_SSL_REDIRECT', False) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to also check for the site port. I'll add some tests later if you agree with the change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eh.. It appears to be breaking some tests, but only for some versions of Python.. Anyway, I'll wait for your feedback before looking at it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the notice @loicteixeira . In which case are you trying to build pages via ssl? Almost every site runs in http modus, as ssl offloading is done on LB level or page building is done on local machine. In this really necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The app is hosted on Heroku and as per their requirement, the SSL redirection needs to be performed at the application level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robmoorman Any further thoughts on the approach then? Maybe you would prefer it to be a BAKERY_SECURE_REQUESTS
setting which defaults to False
instead of the automatic detection?
I'll use a custom view on the app instead. Thanks. |
…bakes out empty HTML This commit subclasses wagtail-bakery's `AllPublishedPagesView` in a way that detects application-level SSL redirection in order to avoid an issue where rendered pages end up being 0 bytes. See wagtail-nest/wagtail-bakery#24 for confirmation of the issue and the discussion on wagtail-nest/wagtail-bakery#25 that points to a custom view being the (current) workaround. Ideally we'll be able to replace this when that issue is resolved. The code in this commit is basically taken from that closed PR, which adds the `secure_request` variable. Hat-tip to @loicteixeira - thanks! No unit test added, but manually tested locally to confirm this does indeed fix the static build while `SECURE_SSL_REDIRECT` is `True`
* 22: Enable recommended-by-Django security settings as defaults The base settings now follow all-but-one of the recommendations from manage.py `check --deploy`. The only one that's not been done in this changeset is SECURE_HSTS_SECONDS, because of the risk of "serious, irreversible problems". That needs to be planned in to enable it properly. Note that we're explicitly setting what HTTP header to look for to detect the SSL-forwarded header, which should stop the redirect loop in production. Development settings turn off SSL redirect, because the local build isn't set to use HTTPS. (It could be tweaked to use HTTPS, too - but that's out of scope for this piece) * 22: Address issue with wagtail-bakery where SECURE_SSL_REDIRECT=True bakes out empty HTML This commit subclasses wagtail-bakery's `AllPublishedPagesView` in a way that detects application-level SSL redirection in order to avoid an issue where rendered pages end up being 0 bytes. See wagtail-nest/wagtail-bakery#24 for confirmation of the issue and the discussion on wagtail-nest/wagtail-bakery#25 that points to a custom view being the (current) workaround. Ideally we'll be able to replace this when that issue is resolved. The code in this commit is basically taken from that closed PR, which adds the `secure_request` variable. Hat-tip to @loicteixeira - thanks! No unit test added, but manually tested locally to confirm this does indeed fix the static build while `SECURE_SSL_REDIRECT` is `True`
Amending initial settings
Fix #24 (Generated pages are blank when SECURE_SSL_REDIRECT is enabled).