Merge pull request #5123 from IONISx/tusbar/enable-https-studio

Use HTTP_X_FORWARDED_PROTO header in studio
2015-02-02 13:09:29 -05:00
parent 74ecb84fc5 4789c5c9d0
commit 3570e474e0
1 changed files with 8 additions and 0 deletions
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -45,6 +45,14 @@ EMAIL_BACKEND = 'django_ses.SESBackend'
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
 DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'

+# IMPORTANT: With this enabled, the server must always be behind a proxy that
+# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 ###################################### CELERY  ################################

 # Don't use a connection pool, since connections are dropped by ELB.