Added SECURE_PROXY_SSL_HEADER to env/aws.

2012-08-24 14:18:49 -04:00
parent 8e9211d2dd
commit 268a87442e
1 changed files with 6 additions and 0 deletions
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -23,6 +23,12 @@ DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
 MITX_FEATURES['ENABLE_DISCUSSION'] = False
 MITX_FEATURES['ENABLE_DISCUSSION_SERVICE'] = True

+# IMPORTANT: With this enabled, the server must always be behind a proxy that 
+# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

 ########################### NON-SECURE ENV CONFIG ##############################
 # Things like server locations, ports, etc.