Re: Managing the balance between SSL and impact on the server

Fri, 02 Jul 2010 09:29:13 -0700 

>From a deployment perspective, it is better to have "one" front-end
server that has the site certificate.
That server would then redirect the traffic to the the internal
server, either in SSL (other encryption keys) or in plain HTTP. That
SSL server needs to be pretty powerfull has it is the one dealing with
all the encrypting (twice if you want to have internal traffic also
encrypted).

>From a devlopper perspective now :
It would have been nice to have a tag in the urls.py that shows which
URL are encrypted and which are not :)
This question is in fact a security & deployment issue ... and should
(ideally) have ZERO impact on the way the code is being developped.

Based on the recommendation in the doco's, I wrote my login form using
as much as possible the available functionnalities :

Here is a snipplet from my current code top-level "urls.py" :

<snip>
(r'^login-window/$', 'django.contrib.auth.views.login',
{'template_name': 'prompt_login.html'}),
</snip>

The prompt_login page contains mainly this
<snip>
            <form method="post" action="{% url
django.contrib.auth.views.login %}">{% csrf_token %}
            <table>
            <tr>
              <td>{{ form.username.label_tag }}</td>
              <td>{{ form.username }}</td>
            </tr>
            <tr>
              <td>{{ form.password.label_tag }}</td>
              <td>{{ form.password }}</td>
            </tr>
            </table>

            <input type="hidden" name="next" value="/users/
{{ constants.default_profile_key }}" />
            <input type="submit" value="login" />
          </form>
</snip>


The question for this code is where would it be sensible to put the
enforcement of https / ssl connection

Are there people from the dev team who have (strong) opinion on this ?
Are there people dealing with Medical records or highly private data
(portefolio?) ... who have wise ideas to share ?

\T,

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to