django 设置变量 SECURE_PROXY_SSL_HEADER 与 heroku
django setting variable SECURE_PROXY_SSL_HEADER with heroku
我正在尝试使用 heroku 在 django 1.8 上设置与 https/ssl 相关的变量。但是在 Django 1.8 教程中,它说我应该特别小心地设置这个变量 "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')"
在 django 1.8 教程中它说
Warning
You will probably open security holes in your site if you set this
without knowing what you’re doing. And if you fail to set it when you
should. Seriously.
Make sure ALL of the following are true before setting this (assuming
the values from the example above):
- Your Django app is behind a proxy.
- Your proxy strips the X-Forwarded-Proto header from all incoming requests. In other words, if end users include that header in their
requests, the proxy will discard it.
- Your proxy sets the X-Forwarded-Proto header and sends it to Django, but only for requests that originally come in via HTTPS.
If any of those are not true, you should keep this setting set to None
and find another way of determining HTTPS, perhaps via custom
middleware.
当我使用 heroku 时是否满足所有这些条件?我应该继续吗?
是的 - 你应该没问题 - 请参阅 heroku 文档:https://devcenter.heroku.com/articles/http-routing#heroku-headers
我正在尝试使用 heroku 在 django 1.8 上设置与 https/ssl 相关的变量。但是在 Django 1.8 教程中,它说我应该特别小心地设置这个变量 "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')"
在 django 1.8 教程中它说
Warning
You will probably open security holes in your site if you set this without knowing what you’re doing. And if you fail to set it when you should. Seriously.
Make sure ALL of the following are true before setting this (assuming the values from the example above):
- Your Django app is behind a proxy.
- Your proxy strips the X-Forwarded-Proto header from all incoming requests. In other words, if end users include that header in their requests, the proxy will discard it.
- Your proxy sets the X-Forwarded-Proto header and sends it to Django, but only for requests that originally come in via HTTPS.
If any of those are not true, you should keep this setting set to None and find another way of determining HTTPS, perhaps via custom middleware.
当我使用 heroku 时是否满足所有这些条件?我应该继续吗?
是的 - 你应该没问题 - 请参阅 heroku 文档:https://devcenter.heroku.com/articles/http-routing#heroku-headers