Whiskers behind SSL

January 15, 2013 (Last modified on August 20, 2021)

#devops #django #https #plone #tls #tools

Since April 2012 we are using Whiskers to store information about our Plone and Django buildouts. But when I moved the setup behind SSL, the browser started to complain about unsafe content.

While I could access Whiskers via https://whiskers.example.com, references in the HTML to the favicon and the CSS were to http://whiskers.example.com/static/… And that either generates a warning about unsafe content or the browser might decide to not load the assets at all. And especially the missing CSS was severely impacting the usability.

First I tried to solve this in Whiskers itself. But I soon discovered that the master.pt template in Whiskers contains several calls to static_url, for instance:

<link rel="stylesheet" href="${request.static_url('whiskers:static/css/bootstrap.css')}" ... />
<link rel="stylesheet" href="${request.static_url('whiskers:static/whiskers.css')}" ... />

And those resolved to http://whiskers.example.com/static/… so I had to convince Whiskers (or actually Pyramid) that we were using SSL. As a result my next attempts involved changing the Apache configuration. But after trying several options I could not get it working (possibly also due to an older version of Apache).

So I left the configuration unchanged:

<VirtualHost <ip>:443>
    ... basic stuff about the server name, logs and SSL certificates ...

    RewriteEngine on
    ProxyPreserveHost on

    # We use a custom CSS file.
    Alias /static/whiskers.css /var/www/whiskers/static/whiskers.css
    RewriteRule ^/static/whiskers.css - [L]

    RewriteRule ^(.*) http://127.0.0.1:6543$1 [P]

    <Location />
            AuthName "Whiskers"
            AuthType Basic
            AuthUserFile /path/to/htpasswd
            require user spam eggs ham
    </Location>
    <Location /buildouts/add>
            Satisfy Any
    </Location>
</VirtualHost>

Waitress

After stumbling on a link to the reverse proxy section of the Waitress documentation I decided to try a different approach. My production.ini was basically a copy from the example on GitHub and it contained this section:

[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = 6543

I installed Waitress in my virtualenv and replaced the above section with this:

[server:main]
use = egg:waitress#main
host = 0.0.0.0
port = 6543
url_scheme = https

And now the CSS is properly loaded!

I don’t know if there are easier/better ways to solve this, but this works fine for us.