CODEWITHSUNDEEP
pythondjangosslnginx
Akash Tomar
Akash Tomar

Reputation: 980

using SSL with nginx in a django app

This is my yo_nginx.conf file:

upstream django {
    server unix:///home/ubuntu/test/yo/yo.sock; # for a file socket, check if the path is correct
}


# Redirect all non-encrypted to encrypted
server {
    server_name 52.89.220.11;
    listen 80;
    return 301 https://52.89.220.11$request_uri;
}


# configuration of the server
server {
    # the port your site will be served on
    listen      443 default ssl;
    # the domain name it will serve for
    server_name 52.89.220.11; # substitute your machine's IP address or FQDN
    charset     utf-8;

    ssl on;
    ssl_certificate /etc/ssl/certs/api.ajayvision.com.chain.crt;
    ssl_certificate_key /etc/ssl/private/api.ajayvision.com.key;

    # max upload size
    client_max_body_size 75M;   # adjust to taste


    # Finally, send all non-media requests to the Django server.
    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /home/ubuntu/test/yo/uwsgi_params;
        uwsgi_param UWSGI_SCHEME https;
        uwsgi_pass_header X_FORWARDED_PROTO;
        uwsgi_pass django;

    }
}

All I want to do is implement SSL on my django app but when I open the domain, it opens up in normal HTTP port. Also when I open the domain using https, it says check your connection. Am I missing something in my conf file? Also, I don't have a proxy set up.

Upvotes: 2

Views: 829

Answers (3)

Akash Tomar
Akash Tomar

Reputation: 980

All I had to do was add default_server and also change the permission of my socket in the uwsgi/sites/sample.ini file from 664 to 666.

server {
   listen 443 default_server ssl;
...
}

Upvotes: 2

Zulfugar Ismayilzadeh
Zulfugar Ismayilzadeh

Reputation: 2773

For redirection from HTTP to HTTPS use:

server {
    listen      80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

But if your website is not working with HTTPS, it means you have invalid certificate. The reasons should be not-signed certificate or your browser should require chained certificate etc.

Upvotes: 0

Basic
Basic

Reputation: 26766

Below is most of the config we use. It ensures the appropriate headers are set. One word of caution, our ssl_ciphers list is probably not ideal as we need to support some clients on older devices.

server {
    listen       443;
    server_name  uidev01;

    ssl                  on;
    ssl_certificate      /etc/nginx/ssl/server.crt;
    ssl_certificate_key  /etc/nginx/ssl/server.key;



    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_stapling on;
    ssl_stapling_verify on;


    error_page 501 /static/ErrorPages/501.html;
    error_page 502 /static/ErrorPages/502.html;
    error_page 503 /static/ErrorPages/503.html;
    error_page 504 /static/ErrorPages/504.html;

    server_tokens off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;
    add_header Strict-Transport-Security "max-age=172800; includeSubdomains;";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Cache-Control "no-cache, no-store";
    add_header Pragma no-cache;
    expires 0s;

    location / {
        proxy_pass              http://localhost:8000;
        proxy_pass_header       Server;
        proxy_set_header        X-Real-IP  $remote_addr;
        add_header              X-Frame-Options sameorigin;
        add_header              X-Content-Type-Options nosniff;
        add_header              Cache-Control "no-cache, no-store";
        add_header              Pragma no-cache;
        add_header              Strict-Transport-Security "max-age=172800; includeSubdomains;";
        expires                 0s;
        proxy_read_timeout      1800;
        proxy_connect_timeout   1800;
        client_max_body_size    200M;
    }
}

As to redirecting from HTTP to HTTPS, we use this...

server {
    listen         80;
    return 301 https://$host$request_uri;
    server_tokens off;
}

Upvotes: 2

Related Questions