Skip to Main Content
×
Freshbooks
Official App
Free – Google Play
Get it
FreshBooks is Loved by American Small Business Owners
FreshBooks is Loved by Canadian Small Business Owners
FreshBooks is Loved by Small Business Owners in the UK
Dev Blog

Python Paste, mod_proxy, and SSL

by Owen on July 28/2010

We’ve been surprised a few times now to discover that Paste‘s HTTP server doesn’t respect the X-Forwarded-For or X-Forwarded-SSL headers, generated by most reverse proxies and SSL appliances. Applications that use the “wsgi.url_scheme” environment key to generate redirect and link URLs (which should be all of them) mistakenly generate http: URLs instead of https: URLs, leading to broken links and redirects.

This is really easy to fix.

We’ve released a tiny egg called wsgissl, which includes WSGI middleware that looks for the X-Forwarded-SSL header and switches wsgi.url_scheme to “https”. Simple, effective, and highly reusable.

For Paste applications, adding the filter is easy and non-invasive:

  1. Add a dependency on wsgissl to setup.py:

    install_requires=[
    # other dependencies,
    'wsgissl'
    ],
    

If you’re not using setuptools or distribute, install wsgissl by hand instead.

  1. Add the filter to your paster configuration:

    [filter:ssl-detect]
    use: egg:wsgissl#ssl-detect
    
  2. Add a filter-with config entry to your [app:…] stanza:

    [app:my-app]
    # ...
    filter-with: ssl-detect
    

For more information about filtering and composing filter chains in Paste, have a look at their documentation.

For freestanding WSGI applications, the filter wraps your app:

import wsgissl as s
my_app = MyWsgiApp()
my_app = s.ForwardedSSLDetectingFilter(my_app)

Source code for this filter is available on Github.

Enjoy!