I am creating a Django application which will need SSL on all user-facing pages. On other projects where SSL was needed I have encounter complications when serving media files from the different virtual host on a single server. For example the page is: https://www.mysite.com but it is referencing http://media.mysite.com/css/screen.css, and also the browser subsequently shows security alerts towards the user.
My understanding is the fact that it's Django best practice to help keep static files on a minimum of their very own virtual host, which -- so far as I understand -- takes a subdomain like media.blahblah.com.
Clearly there's lots of Django applications on SSL, and so i should be missing something. Any suggestions about how this really is handled?
The overall response is that you will need to alter the URL you are using to reference your static files to 1 that utilizes HTTPS. Utilizing a relative path (/static/css/screen.css) rather than a complete URL (http://...) makes your media instantly switch from HTTP to HTTPS with respect to the mentioning page, but does pressure your hands when attempting for everyone based on guidelines referred to below.
If you are using Django 1.3 with contrib.staticfiles, it appears that you'd simply need to alter the STATIC_URL setting. Otherwise, you will need to update the pathways by hand (or nevertheless, you are indicating your static assets).
As you have for everyone guaranteed static files, you've got a handful of options:
- You'll either want to get another (or wildcard) SSL certificate for the static files webserver.
- Disadvantage: expense for that certificate
- Disadvantage: you will need to specify another domain (rather than the relative pathways referred to within the first paragraph) for everyone your static files from.
- Setup SSL on the reverse proxy that handles all the demands for the site. You are still serving your static files and Django pages from separate webservers, however the proxy knows which for connecting to in line with the URL or path (ex: proxy "/static" in the static webserver, everything else in the Django webserver).
- Professional: Does permit you to use relative pathways for your media.
- Disadvantage: Extra systems configuration.