Python Paste, mod_proxy, and SSL
We’ve been surprised a few times now to discover that Paste‘s HTTP server doesn’t respect the X-Forwarded-For or X-Forwarded-SSL headers, generated by most reverse proxies and SSL appliances. Applications that use the “wsgi.url_scheme” environment key to generate redirect and link URLs (which should be all of them) mistakenly generate http: URLs instead of https: URLs, leading to broken links and redirects.
This is really easy to fix.
We’ve released a tiny egg called wsgissl, which includes WSGI middleware that looks for the X-Forwarded-SSL header and switches wsgi.url_scheme to “https”. Simple, effective, and highly reusable.
For Paste applications, adding the filter is easy and non-invasive:
Add a dependency on wsgissl to setup.py:
install_requires=[ # other dependencies, 'wsgissl' ],
If you’re not using setuptools or distribute, install wsgissl by hand instead.
Add the filter to your paster configuration:
[filter:ssl-detect] use: egg:wsgissl#ssl-detect
Add a filter-with config entry to your [app:…] stanza:
[app:my-app] # ... filter-with: ssl-detect
For more information about filtering and composing filter chains in Paste, have a look at their documentation.
For freestanding WSGI applications, the filter wraps your app:
import wsgissl as s my_app = MyWsgiApp() my_app = s.ForwardedSSLDetectingFilter(my_app)
Source code for this filter is available on Github.