Securing your django application with letsencrypt and django-sslify
Django does a good job of being secure by default, from the use of csrf tokens to the ORM that shields you from SQL injection, Django comes bundled with the most basic tools to keep your website data secure, however for most businesses this is not enough.You customers trust you to keep their data safe and your first line of defense is going to be ssl encryption.
Let’s Encrypt is a new Certificate Authority that is free, automated and open, It’s relatively easy to setup , completely free and backed by some big companies.This installation guide is geared towards users of linux boxes (especially debian) .
Installing Let’s Encrypt
The best way to get started with letsencrypt is to use the let’s encrypt client , right now you will need to just clone it from the official github repo.In the future it will most likely be available via your OS’es package manager. You will need to install git and bc before you clone the repo, to do this on debian enter the following the commands
$ sudo apt-get update $ sudo apt-get -y install git bc
Once you’ve installed git and bc you can go ahead get the letsencrypt repo
$ git clone https://github.com/letsencrypt/letsencrypt $ cd letsencrypt $ ./letsencrypt-auto --help
The client will download all the dependencies, once the setup is complete it’s time to generate the certificate.Note that let’s encrypt puts a limit on the number of certificates you can generate per domain , this thread has the latest rate limit figures.The client comes with a number of plugins to help you automate the process of generating and renewing the certificate
$ cd letsencrypt $ letsencrypt --apache
$ cd letsencrypt $ letsencrypt certonly --webroot -w /var/www/example -d example.com
After letsencrypt initializes you will prompted to enter some information. If you have not used the client on this server before you will be asked for an email address and to agree to the Let’s Encrypt Subscribe Agreement.Once you’ve provided all these details, you are provided with 4 certificate files and their location
- Cert.pem : Your domain’s certificate
- Chain.pem : The Let’s Encrypt chain certificate
- Fullchain.pem : cert.pem and chain.pem combined
- Priv.pem : Your certificate’s private key
You can then go ahead and configure your web server for ssl , I will not go into detail on configuring your web server for ssl but if you are using Nginx you can find a great tutorial here and here if you are using Apache
i that your website url is securely being redirected to https: its time to make sure that you whole Django application is served securely.The quickest way to install django-sslify is via pip
pip install django-sslify
You will then need to edit your settings.py file , add django-sslify to your middleware classes.Make sure it is the first middleware class listed, this will ensure that any request made over insecure http will be routed through secure https.
Your MIDDLEWARE_CLASSES should look something like this
MIDDLEWARE_CLASSES = ( 'sslify.middleware.SSLifyMiddleware', # ... )
For more advanced settings and configurations of django-sslify go here.
Your Django application is now configured to securely serve requests over https.