Enable redirection of HTTP requests to HTTPS #253
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using Django's `SECURE_SSL_REDIRECT`: https://docs.djangoproject.com/en/5.1/ref/settings/#std-setting-SECURE_SSL_REDIRECT Also configures gunicorn's `forwarded_allow_ips` setting to `"*"` so that gunicorn trusts the `X-Forwarded-Proto` header set by the Heroku Router during TLS termination, to ensure that HTTPS requests are correctly marked as secure in the WSGI metadata passed to the WSGI app (in this case, Django). See: https://docs.gunicorn.org/en/stable/settings.html#forwarded-allow-ips https://devcenter.heroku.com/articles/http-routing#heroku-headers (Whilst the classic Python buildpack already configures this by setting the env var `FORWARDED_ALLOW_IPS`, the Python CNB doesn't yet do so, and it's clearer to have the config explicitly set in the app source.) GUS-W-17482732.
edmorley
added a commit
to heroku/cnb-builder-images
that referenced
this pull request
Mar 21, 2025
Since this env var was added in #385 primarily for the Python Getting Started Guide, but that guide: - No longer requires that the env var be set in order to run in production mode, as of: heroku/python-getting-started#251 - Now redirects to HTTPS if `DYNO` is set (which is not what we want for these tests, since there is no TLS cert configured), as of: heroku/python-getting-started#253 Also, we're about to add Direwolf tests for CNBs/Fir, which will test the guides in a true Heroku-like setting, so it makes more sense for these smoke tests to more accurately test the local `pack build` workflow instead - rather than a hybrid of both. Lastly, I've added `-L` to the curl usages (which makes it follow redirects), so that any issues with redirects are caught in CI. (Such as the Python Getting Started Guide HTTP 301 redirecting to an HTTPS URL with no cert, when the `DYNO` env var was set.) GUS-W-18093965.
edmorley
added a commit
to heroku/cnb-builder-images
that referenced
this pull request
Mar 21, 2025
Since this env var was added in #385 primarily for the Python Getting Started Guide, but that guide: - No longer requires that the env var be set in order to run in production mode, as of: heroku/python-getting-started#251 - Now redirects to HTTPS if `DYNO` is set (which is not what we want for these tests, since there is no TLS cert configured), as of: heroku/python-getting-started#253 Also, we're about to add Direwolf tests for CNBs/Fir, which will test the guides in a true Heroku-like setting, so it makes more sense for these smoke tests to more accurately test the local `pack build` workflow instead - rather than a hybrid of both. Lastly, I've added `-L` to the curl usages (which makes it follow redirects), so that any issues with redirects are caught in CI. (Such as the Python Getting Started Guide HTTP 301 redirecting to an HTTPS URL with no cert, when the `DYNO` env var was set.) GUS-W-18093965.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using Django's
SECURE_SSL_REDIRECT:https://docs.djangoproject.com/en/5.1/ref/settings/#std-setting-SECURE_SSL_REDIRECT
Also configures gunicorn's
forwarded_allow_ipssetting to"*"so that gunicorn trusts theX-Forwarded-Protoheader set by the Heroku Router during TLS termination, to ensure that HTTPS requests are correctly marked as secure in the WSGI metadata passed to the WSGI app (in this case, Django). See:https://docs.gunicorn.org/en/stable/settings.html#forwarded-allow-ips
https://devcenter.heroku.com/articles/http-routing#heroku-headers
(Whilst the classic Python buildpack already configures this by setting the env var
FORWARDED_ALLOW_IPS, the Python CNB doesn't yet do so, and it's clearer to have the config explicitly set in the app source.)GUS-W-17482732.