关闭https

时间:2016-10-15 16:12:22

标签: django nginx django-csrf

我正在使用Django 1.7.1,我在我的django网络应用程序之外进行了一次更改,即在我的django webapp在公司防火墙内移动后,关闭了nginx内的https。

我没有对webapp做任何其他更改,就像在任何django代码中一样:我正在通过公司vpn测试webapp访问。

当我转到http://mywebapp.mycompany.com时,主页是一个表单加载正常。 现在,当我点击提交。我看到CSRF验证失败并引用了https://mywebapp.mycompany.com!详情如下。我甚至在隐身模式下收到错误以排除任何旧的缓存问题。

我想知道错误的来源,并且感觉它不在我的webapp之内,并且在某些vpn配置/浏览器缓存/其他缓存中。
我已经检查了django消息中给出的CSRF失败的可能原因,并且我没有做任何这些"坏"的东西。

有关如何解决此问题的任何想法。我想知道这是VPN配置问题,nginx配置问题还是django"最佳实践"问题

Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
    Referer checking failed - http://mywebapp.mycompany.com/ does not match https://mywebapp.mycompany.com/.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function uses RequestContext for the template, instead of Context.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.

我没有做这些。我的表单使用:

<form role="form" action={% url "sequence_input" %} data-persist="garlic" data-destroy="false" method="post" enctype="multipart/form-data">{% csrf_token %}

对表单的调用使用RequestContext:

return render(request,'sequence_input_form.html',{'form':form})

我有以下上下文处理器:

            TEMPLATE_CONTEXT_PROCESSORS= ("django.core.context_processors.static",
                                          "django.contrib.auth.context_processors.auth",
                                          "django.core.context_processors.debug",
                                          "django.core.context_processors.i18n",
                                          "django.core.context_processors.media",
                                          "django.core.context_processors.tz",
                              "django.contrib.messages.context_processors.messages",
"django.core.context_processors.request",)

我的Nginx conf表示注释行。

server {
    listen 80;
    listen [::]:80 ipv6only=on;
    #listen 443 default ssl;
    charset     utf-8;

    # Make site accessible from http://localhost/
    server_name [my server ip];
    #if ($ssl_protocol = "") {
    #   rewrite     ^(.*)   https://$server_name$1 permanent;
    #}
    #if ( $scheme = "http" ) {
    #return 301 https://$server_name$request_uri;
    #}
    #ssl_certificate /home/mywebapp/mywebapp/mywebapp_cert.crt;
    #ssl_certificate_key /home/mywebapp/mywebapp/mywebapp_key.key;
    #ssl_certificate_key /home/mywebapp/mywebapp/harijay/mywebapp_webhop_org.key;

    location / {

        uwsgi_pass  django;
            include     /home/mywebapp/mywebapp/uwsgi_params;
        uwsgi_read_timeout 60000;

        root /home/mywebapp/mywebapp;
        #index pam_lister/templates/sequence_input_form.html;

        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        #try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }

        location /static {
            autoindex on;
            alias /home/mywebapp/mywebapp/static/;
        }
}

0 个答案:

没有答案
相关问题
最新问题