Graphite

Some requests are going to http even though the main site is https.

Asked by Cody Stevens

I have a graphite installation that keeps redirecting certain requests back to http. Specifically when I log out or in it takes me to an http:// page that displays nothing but Index of /. Putting an 's' in the URL and hitting enter takes me to the correct page and I can see that I am logged in or out depending on what my last action was. Is there a simple setting I am missing somewhere to specify that all traffic should be https?

Thanks in advance
Cody

Question information

Language:
English Edit question
Status:
Solved
For:
Graphite Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
chrismd (chrismd) said : 		#1

Hm... I'm not sure why this would happen, it might be a bug (ie. hardcoded http://... urls). Can you give a specific example?

Revision history for this message
Cody Stevens (cody-stevens) said : 		#2

Ok.. Unfortunately, this is not accessible outside our network but I'll try to give you the general layout of what is happening:

The following URL works fine via https:

https://graphite-hc.rightnowtech.lan/account/login/

The login appears to work just fine except after authenticating I am taken to :

http://graphite-hc.rightnowtech.lan/

Note that https has been replaced with http

This page doesn't show any of the graphite console instead it says only:

Index of /

Now if I change the URL to be

https://graphite-hc.rightnowtech.lan/

The graphite console appears and shows me as logged in. So clearly the login is working but I am at some point being pointed to an http address instead of https:

Also the same thing happens if I click the logout button from a session where I am logged in. ( I am again taken to the http://graphite-hc.rightnowtech.lan/ which only shows the "Index of /" message )

Let me know if there is something more specific I can tell you.

Thanks for looking into this.

Cody

Revision history for this message
Cody Stevens (cody-stevens) said : 		#3

I also found that this occurs when clicking the "Update Profile" button on

https://graphite-hc.rightnowtech.lan/account/edit/

Revision history for this message
chrismd (chrismd) said : 		#4

So given those examples this really sounds like the HttpResponseRedirect(nextPage) return values in the graphite/account/views.py functions are causing it... which would imply Django thinks these are http for some reason. Hm...

Revision history for this message
Launchpad Janitor (janitor) said : 		#5

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
chrismd (chrismd) said : 		#6

Sorry for letting this expire, I've converted it to a bug so I remember to followup.

Revision history for this message
Cody Stevens (cody-stevens) said : 		#7

Putting graphite behind a load balancer that is sending all requests through SSL has fixed this issue. I'm thinking it is related to django looking at the request itself to see if the request is secure. I was contemplating trying to use some middleware as outlined here: http://djangosnippets.org/snippets/240/

Since our problem has been solved by the load balancer I am assuming that every request now has the "secure" attribute that django is looking for.

Revision history for this message
Jeff Blaine (jblaine-kickflop) said : 		#8

This is addressed here:

https://github.com/rdegges/django-sslify

And somewhat here:

http://stackoverflow.com/questions/8436666/how-to-make-python-on-heroku-https-only

This "Answered" question is being marked as "Solved"