Is it necessary to tweak settings.py in Django app in order to correctly set up SSL protection (with nginx reverse proxy + gunicorn)

Question

I have a Django app where the webserver is nginx reverse proxy + gunicorn.

My question is: when one installs SSL on the webserver of a Django app, is it necessary to tweak settings.py before https://example.com will correctly load? Or will https://example.com be accessible even without tweaking settings.py?

Currently, for me https://example.com just times out, and I'm trying to diagnose whether this is a problem with how I've installed SSL on the webserver, or whether it's because I haven't yet tweaked my settings.py file.

For instance, Django docs recommend setting the following in settings.py:

1) Setting SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') in case https is being swallowed by a proxy.

2) Setting SECURE_SSL_REDIRECT to True directs http traffic to https. Though this can be done more securely on the webserver.

3) Setting SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True ensures only these cookies are sent over https.

None of these settings look like a must have for https://example.com to correctly load.

---

It turned out, the final straw was including the relevant port (i.e. port 443) in the Azure portal (where my infrastructure is hosted).

Answer 1

In general you don't need to change anything to make SSL work. The suggestions above increase the security but they are not musts.

If your request times out, there can be two reasons:

1. NginX is not listening to port 443. Post your .conf file to make sure

2. You have a firewall installed on your server which blocks incoming TCP requests to port 443.