Why does your website need to support the HTTPS protocol?
In short: HTTPS = HTTP + SSL = More Secure Data Transmission
The HTTP protocol, short for Hypertext Transfer Protocol, is widely used to transfer information between Web browsers and Web servers.The disadvantage of the HTTP protocol is that it sends content (including user passwords) in clear text and does not provide any way of encrypting the data. If an attacker intercepts the transmitted text between a Web browser and a Web server, he or she can read the information in it directly.
In order to solve this pitfall and secure the transmission of data, the HTTPS protocol (Hypertext Transfer Protocol over Secure Sockets Layer) was born. It adds the SSL protocol to HTTP, which relies on certificates to verify the identity of the server and encrypts the communication data between the browser and the server.
Note: The default port used for HTTP protocol is port 80 and the default port used for HTTPS protocol is port 443. If you are using a cloud server, make sure that port 443 is open when you set up the security group.
How to configure HTTPS when deploying a Django project in a production environment?
There are three steps in total:
1. Purchase and download an SSL certificate, which usually consists of a certificate (.cert or .pem) and a private key file (.key).
2. Modify the configuration information of Nginx or Apache, and upload the downloaded SSL certificate and key to the specified folder.
3. Modify the Django configuration file
Step 1: Purchase and download SSL certificate
There are many kinds of SSL certificates, the higher the level, the more expensive, online free lunch is not much. For personal websites using a single domain name DV SSL certificate is generally enough, this certificate Aliyun do activities during the free application. When buying SSL certificates, choose a single domain name - DV SSL - free version can be, as shown in the figure below. Charge version of the SSL certificate price is cheaper still namecheap.
Whichever SSL certificate provider ends up providing a link to download the certificate or sending it directly to your email address, the process is just different. You will then need to upload the downloaded certificate to the specified folder on the server, see next step.
Step 2: Modify Nginx configuration information
When deploying Django in a production environment, we generally use Nginx as a reverse proxy and static file server, here is a brief description of the configuration information of Nginx. Nginx configuration file is usually located in /etc/nginx/ directory, modify the configuration file to add SSL-related information.
# Configuration files in the /etc/nginx/ directory
server {
listen 443 ssl; monitor443ports
ssl_certificate /path/to/certificate/your_domain_chain.crt; # Certificate address
ssl_certificate_key /path/to/your_private.key; # Private key file address
server_name your_domain.com www.your_domain.com; # Domain name
}
The SSL certificate and private key files can be uploaded to any of the specified directories on the server, but it is common practice to upload them to the /usr/share/nginx/ssl directory on Linux, so the above configuration information can be simplified:
# Configuration files in the /etc/nginx/ directory
server {
listen 443 ssl; monitor443ports
ssl_certificate /usr/share/nginx/ssl/your_domain_chain.crt; # Certificate address
ssl_certificate_key /usr/share/nginx/ssl/your_private.key; # Private key file address
server_name your_domain.com www.your_domain.com; # Domain name
}
You can also permanently redirect all http requests from port 80 to https.
server {
listen 80; # Listening on port 80
server_name your_domain.com www.your_domain.com;
return 301 https://$server_name$request_uri; # Permanent redirection
}
Step 3 Modify Django's
When your website supports https, you can add the following security configuration, which can provide a higher level of protection for your website and user data. This setting is also the default configuration recommended by django cookiecutter for production environments.
# SECURITY security settings - recommended to be enabled when supporting http
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = True # Permanently redirect all non-SSL requests to SSL
SESSION_COOKIE_SECURE = True # Cookie transfer via https only
CSRF_COOKIE_SECURE = True # Cookie transfer via https only
SECURE_HSTS_INCLUDE_SUBDOMAINS = True # Strictly require the use of the https protocol for transmission
SECURE_HSTS_PRELOAD = True # HSTS for
SECURE_HSTS_SECONDS = 60
SECURE_CONTENT_TYPE_NOSNIFF = True # Preventing browsers from guessing the content type of an asset
Note: Django's SECURE_SSL_REDIRECT = True can also be achieved on port 80 http requests are permanently redirected to https, and Nginx's 301 redirection settings can be selected. Django above several security settings are dependent on the following SecurityMiddleware middleware.
MIDDLEWARE = [ '', ]
wrap-up
Configuring https on Django project go-live is very simple and takes only 3 steps. Did you learn it?
Above is the Django project how to get an SSL certificate and configure HTTPS details, more about Django to get an SSL certificate and configure HTTPS information please pay attention to my other related articles!