Django is redirecting from HTTPS to HTTP

Question

I have a Django ecommerce site running, and have purchases and installed an SSL cert for it.

I have added a VirtualHost entry:

<VirtualHost *:443>
        #Basic setup
        ServerAdmin [email protected]

        ServerName test.com
        ServerAlias www.test.com

        Alias /media/admin/ /home/test/public_html/test/release/env/lib/python2.6/dist-packages/django/contrib/admin/media/
        Alias /static/ /home/test/public_html/test/release/static/
        Alias /media/ /home/test/public_html/test/release/media/

        <Directory /home/test/public_html/test/release/>
            Order deny,allow
            Allow from all
        </Directory>
        RewriteEngine On

        LogLevel warn
        ErrorLog  /home/test/public_html/test/logs/error.log
        CustomLog /home/test/public_html/test/logs/access.log combined

        WSGIDaemonProcess test user=www-data group=www-data threads=20 processes=2
        WSGIProcessGroup test_ssl

        WSGIScriptAlias / /home/test/public_html/test/release/apache/test.wsgi

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/test.com.crt
        SSLCertificateChainFile /etc/apache2/ssl/gs_root.pem
        SSLCertificateKeyFile /etc/apache2/ssl/www.test.com.key
</VirtualHost>

Here is the urls.py file:

from django.conf.urls.defaults import patterns, include, url
from django.contrib import admin
from django.conf import settings

from gallery.models import LOCATIONS, Photo

admin.autodiscover()

from satchmo_store.urls import urlpatterns as satchmo_urls

from satchmo_store.shop.views.sitemaps import sitemaps
from cms.sitemaps import CMSSitemap
sitemaps['pages'] = CMSSitemap

urlpatterns = patterns('',
    url(r'^admin/', include(admin.site.urls)),
    url(r'^search/', include('haystack.urls')),

    # Include satchmo urls. Unfortunately, this also includes it's own
    # /admin/ and everything else.
    url(r'^shop/', include(satchmo_urls)), 
    url(r'^sitemap\.xml/?$', 'django.contrib.sitemaps.views.sitemap', {'sitemaps': sitemaps}),

    url(r'events/gallery/(.*)/(.*)/$', 'gallery.views.events_image'),
    url(r'locations/view-all/(.*)/$', 'gallery.views.locations_image'),
    url(r'locations/view-all/$', 'gallery.views.locations_view_all',{
            'queryset':Photo.objects.filter(gallery__category=LOCATIONS).distinct()}),
    url(r'^contact-us/', include('contact_form.urls')),
    url(r'^', include('cms.urls')),
)

if settings.DEBUG:
    urlpatterns = patterns('',
        (r'^media/(?P<path>.*)$', 'django.views.static.serve', {'document_root': settings.MEDIA_ROOT}),
        (r'^static/(?P<path>.*)$', 'django.views.static.serve', {'document_root': settings.STATIC_ROOT}),
        (r'^404/$', 'django.views.defaults.page_not_found'),
        (r'^500/$', 'django.views.defaults.server_error'),
    ) + urlpatterns

There is also a conf for non ssl which is working fine.

Whenever I request the HTTPS version of the site, I get a 302 header response which redirects to the HTTP version.

There are no redirects in the apache conf that explicitly state go to port 80.

Ive been banging my head against this for a while, any help would be great!

Thanks

Answer 1

You probably already fixed it and it could be an entirely different problem, but I just came across something that sounds somewhat similar and as I did not find an answer that addressed your issue, I thought it might be worth to post a reply (despite I was having a 301 and you a 302).

I am running a Django site (Django 1.6.1) with gunicorn behind nginx. So nginx does the SSL. The environment variable HTTPS is set to on.

When I set up a test server without an http-to-https redirect, I noticed that some requests end up being redirected to an http address - similar to what you describe, but in my case it was just for one particular link. After looking into the request and response headers, I found out: The initial request https://example.org/test got redirected by Django/gunicorn with 301 MOVED PERMANENTLY to http://exmaple.org/test/. nginx then responded with 400 Bad Request - The plain HTTP request was sent to HTTPS port.

Quickly I came across a setting I had not paid much attention to before: APPEND_SLASH (https://docs.djangoproject.com/en/1.6/ref/settings/#std:setting-APPEND_SLASH) with the default value True.

After adding APPEND_SLASH = False to my settings.py file, a request to https://example.org/test resulted in a 404 NOT FOUND response, without a redirect to http. So it seems that APPEND_SLASH does not respect the HTTP environment variable setting - I guess configuring SECURE_PROXY_SSL_HEADER (https://docs.djangoproject.com/en/1.6/ref/settings/#std:setting-SECURE_PROXY_SSL_HEADER) would solve this, I have not tested it yet.

By the way, the reason for that "faulty" link in my case was a hard-coded link in a template. The easy way to avoid links like that is using the built-in {% url ... %} template tag (https://docs.djangoproject.com/en/1.6/ref/templates/builtins/#url [sorry, I could not make this link clickable because I don't have "at least 10 reputation"...]).

Perhaps this helps you or anyone else who wonders why Django sometimes redirects from https to http.

Answer 2

I know this is an old question but I have just spent hours searching for a solution to an identical problem so I thought I would post what I eventually worked out here. I was using Satchmo as the original poster was, It has a middleware class satchmo_store.shop.SSLMiddleware.SSLRedirect which by default sends a redirect exactly as described in the original question from https to http with a 302 header response. Commenting the line in MIDDLEWARE_CLASSES fixes the problem and may be OK if anyone wants to run completely over https but the documentation http://satchmo.readthedocs.org/en/latest/configuration.html#ssl explains how to use it properly which is what I am going to try to do.