Juju 通过 SSL 部署了 apache+gunicorn+django 应用程序,openid 因无模式而失败

tag-icon tag-icon python apache2 proxy juju
Juju 通过 SSL 部署了 apache+gunicorn+django 应用程序,openid 因无模式而失败

博客文章

仅供参考,我写了一篇博客文章,解释了我为开始工作所做的一切: http://www.astokes.org/post/2013-07-14-juju-gunicorn-apache-django

我已经部署了这些服务,并且所有内容都可以通过 https 访问。但是,当我尝试通过 launchpad.net openid 2 进行身份验证时,发生了以下情况。

首先回调地址是http://10.xxx当应该https://10.xxx其次,应用程序失败,并出现OpenID 身份验证失败:无效的 openid.mode ''"当它最终返回 https 主机时。

zef-sample-apache2-0:~$ cat /etc/apache2/sites-enabled/10.0.3.206_https

# Managed by juju
<VirtualHost *:80>
    ServerName      10.0.3.206
    Redirect permanent / https://10.0.3.206/
</VirtualHost>

<VirtualHost *:443>
    ServerName      10.0.3.206
    ServerAdmin     [email protected]

    CustomLog       /var/log/cts-custom.log combined
    ErrorLog        /var/log/cts-error.log


    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-cts.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-cts.key
    RequestHeader set X-FORWARDED-SSL "on"
    RequestHeader set X-FORWARDED_PROTO "https"

    ProxyRequests off
    ProxyPreserveHost on
    <Proxy *>
        Order Allow,Deny
        Allow from All
    </Proxy>

    ProxyPass / http://10.0.3.113:8080/
    ProxyPassReverse / http://10.0.3.113:8080/

    #RewriteEngine on

    #RewriteRule ^/(.*)$ http://10.0.3.113:8080/$1 [P,L]

#    Alias           /favicon.ico    /srv/seg-dashboard/segdash/static/favicon.ico
#    Alias           /robots.txt     /srv/seg-dashboard/segdash/static/robots.txt
#    Alias           /static/admin    /var/www/static/admin
#    Alias           /static/        /srv/seg-dashboard/segdash/static/
</VirtualHost>

我强制所有操作都通过 ssl 进行,因此此时我不确定这是否是我的 django 应用程序的问题,因为运行本地 https 服务器并通过 SSL 进行身份验证工作正常。

有任何想法吗?

这是我的 juju 状态输出

machines:
  0:
    agent-state: running
    dns-name: localhost
    instance-id: local
    instance-state: running
services:
  apache2:
    charm: cs:precise/apache2-11
    exposed: true
    relations:
      reverseproxy:
      - seg-dashboard
    units:
      apache2/0:
        agent-state: started
        machine: 0
        open-ports:
        - 80/tcp
        - 443/tcp
        public-address: 10.0.3.206
  gunicorn:
    charm: cs:precise/gunicorn-7
    relations:
      wsgi-file:
      - seg-dashboard
    subordinate: true
    subordinate-to:
    - seg-dashboard
  postgresql:
    charm: cs:precise/postgresql-30
    exposed: false
    relations:
      db:
      - seg-dashboard
      replication:
      - postgresql
    units:
      postgresql/0:
        agent-state: started
        machine: 0
        public-address: 10.0.3.37
  rabbitmq-server:
    charm: cs:precise/rabbitmq-server-12
    exposed: false
    relations:
      amqp:
      - seg-dashboard
      cluster:
      - rabbitmq-server
    units:
      rabbitmq-server/0:
        agent-state: started
        machine: 0
        public-address: 10.0.3.144
  seg-dashboard:
    charm: local:precise/seg-dashboard-1
    relations:
      amqp:
      - rabbitmq-server
      db:
      - postgresql
      website:
      - apache2
      wsgi:
      - gunicorn
    units:
      seg-dashboard/0:
        agent-state: started
        machine: 0
        public-address: 10.0.3.113
        subordinates:
          gunicorn/0:
            agent-state: started

以下是 Launchpad Openid 设置(django settings.py)的相关部分

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = ['lvh.me', 'localhost', 'canonical.com']

# Add support for django-openid-auth
AUTHENTICATION_BACKENDS = (
    'django_openid_auth.auth.OpenIDBackend',
    'django.contrib.auth.backends.ModelBackend',
)

OPENID_CREATE_USERS = True
OPENID_UPDATE_DETAILS_FROM_SREG = True
OPENID_SSO_SERVER_URL = 'https://login.launchpad.net/'
OPENID_USE_AS_ADMIN_LOGIN = True
OPENID_LAUNCHPAD_TEAMS_REQUIRED = [
    'canonical',
]
OPENID_LAUNCHPAD_STAFF_TEAMS = (
    'cool-guys',
)
OPENID_STRICT_USERNAMES = True
OPENID_USE_EMAIL_FOR_USERNAME = True

LOGIN_URL = '/openid/login/'
LOGIN_REDIRECT_URL = '/'

# Login is required for all these patterns
LOGIN_REQUIRED_URLS = (
    r'/(.*)$',
)
# We much except the openid URLs otherwise we go in loops.
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
    r'/openid/(.*)$',
)

额外的:

我认为问题源于从 Apache(SSL) 到 gunicorn(nonSSL) 的切换,然后当它到达 launchpad.net 时,回调 URL 是 Apache 服务器 (nonSSL)。我尝试使用类似 django-sslify 的东西在应用程序端强制使用 SSL,但似乎 ProxyPreserveHost 并不关心/检查主机是来自 https 还是 http,只是默认为 http。

更多的:

以下是发送到 launchpad.net 的请求标头

User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0
Referer:https://10.0.3.218/openid/login/?next=/
Host:login.launchpad.net
DNT:1
Connection:keep-alive

表单数据如下:

openid_referer:"https://10.0.3.218/openid/login/?next=/"
openid.return_to:http://10.0.3.218/openid/complete/?next=%2F&janrain_nonce=2013-07-13T03%3A35%3A28ZSrfuV5
openid.realm:http://10.0.3.218/

这是利用 django-openid-auth 库,我目前正在深入研究代码,以了解为什么当 referer 显示 https 时消费者直接设置 return_to http?

答案1

我已更新帖子以显示 Apache vhost 和 django settings.py 文件中的正确配置。

你可能希望看到类似这样的标题

RequestHeader 设置 X-FORWARDED_PROTO "https"

并在 django 设置中进行如下设置

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWADED_PROTO','https')

你可以在这里读更多关于它的内容:

https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECURE_PROXY_SSL_HEADER

相关内容