Django开发服务器智能卡认证
我想在 Django 开发服务器上使用基于智能卡的身份验证,因为它是我居住的地方普遍接受的身份验证方式。
使用 Apache,我可以通过在需要身份验证的目录中创建一个 .htaccess 文件来启用它:
SSLVerifyClient require
SSLVerifyDepth 2
在虚拟主机中:
<Directory /var/www/www/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig Options
Order allow,deny
allow from all
</Directory>
通过引用这样的证书和吊销列表:
SSLCACertificateFile /etc/apache2/certificate.crt
SSLCARevocationPath /etc/apache2/crl
没有这个是非常烦人的Django 中用于测试和开发目的的功能。关于如何设置它有什么想法吗?
编辑:谢谢你的回答,马丁,但它还没有真正帮助我到达我想要的地方。不管怎样,现在我已经为某人提供了悬赏,通过提供一小段示例代码/或更多关于阅读内容或从哪里开始的说明来回答这个问题。
I would like to use smart card based authentication on the Django development server, as it is the universally accepted means of authentication where I live.
With Apache i can enable it by creating a .htaccess file in the directory that requires authentication:
SSLVerifyClient require
SSLVerifyDepth 2
And in the virtual host:
<Directory /var/www/www/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig Options
Order allow,deny
allow from all
</Directory>
And by referring to the certificates and revocation lists like this:
SSLCACertificateFile /etc/apache2/certificate.crt
SSLCARevocationPath /etc/apache2/crl
It's quite annoying not having this functionality for testing and development purposes in Django. Any ideas on how to set it up?
Edit: thanks for your answer, Martin, but it has not really helped gotten me where I want, yet. Anyways, now I have opened a bounty for someone to answer the question by providing a small piece of example code/or more clarification on what to read or where to start.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这个答案有点依赖于马丁的答案。您可以使用 Fabric http://docs.fabfile.org/0.9.4/自动设置开发环境apache+wsgi。
显然,这需要一些前期时间/成本,但完成后,您将能够快速轻松地设置任意数量的环境。
您可以将其与观察者结合使用 http://www.splitbrain.org/blog/2011 -01/07-watcher_a_recursive_incron_alternative 自动触摸您的 wsgi 文件并在每次进行更改时重新加载您的环境。
This answer kind of piggy backs on Martin's answer. You could use something like Fabric http://docs.fabfile.org/0.9.4/ to automate setting up the dev environment apache+wsgi.
Obviously this has some up front time/cost to it but after it is done you'll be able to set up as many environments as you want quickly and easily.
You could couple that with watcher http://www.splitbrain.org/blog/2011-01/07-watcher_a_recursive_incron_alternative to automatically touch your wsgi file and reload your environment everytime you make a change.
开发服务器(或一般的 Python)的 SSL 功能据我所知相当平庸。也许最近随着新的 Python 和 Django 版本的出现,这种情况发生了变化,但我对此表示怀疑。
实际上,您不需要开发服务器中的 SSL 身份验证功能。如果您要部署到 Apache,最简单的方法是模仿 Apache,使用自定义 WSGI 中间件来设置相同的变量(不要依赖 mod_ssl 证书解析,最简单的是将经过身份验证的证书导出到环境并使用该证书) ,例如进行进一步的 OCSP 或 CRL 检查),并使您的应用程序的行为就像使用客户端证书进行身份验证一样。这种方法还允许运行一些棘手的测试,例如如果用户使用模拟证书在名称中包含 ÕÄÖÜŽŠ 等字符,则会发生什么情况。
SSL capabilities of the development server (or Python in general) are AFAIK quite mediocre. Maybe this has changed recently with newer Python and Django versions, but I doubt it.
You don't need the SSL authentication capabilities in the development server actually. The simplest would be mimicking Apache if you'll be deploying to Apache, with a custom WSGI middleware that would set the same variables (don't rely on mod_ssl certificate parsing, the easiest is to export the authenticated certificate to the environment and use that, for further OCSP or CRL checks for example) and would make your application behave just like you would be authenticated with a client certificate. This approach also allows to run some tricky tests, like what happens if the user has characters like ÕÄÖÜŽŠ etc in the name by using mock certificates.
为什么不用 apache 来运行你的开发环境呢?没有什么是 apache 做不到的,而 django 开发服务器却可以。您实际上可以设置自动代码更改拾取,因为这对于开发目的非常方便,如果您使用 wsgi,您可以在此处阅读更多相关信息: http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode
Why don't you run your development environment with apache? There is nothing apache can not do for you that django dev server can. You can actually set up automatic code changes pickup as it is very convenient for the development purposes, you can read more about this here if you use wsgi: http://code.google.com/p/modwsgi/wiki/ReloadingSourceCode
在您的开发环境中使用 nginx+green unicorn+django 运行 SSL 非常简单。
基本上你只需要:
pip install Gunicornrunserverdorun_gunicornapt-get install nginx(或 < code>port install nginx +ssl 或其他内容,具体取决于您运行的操作系统。)...和如果您想使用 SSL 客户端身份验证,请参阅我的项目
django_ssl_auth在 github 上。Running SSL with nginx+green unicorn+django in your development environment is really easy.
Basically you just need to:
pip install gunicornrunserverdorun_gunicornapt-get install nginx(orport install nginx +sslor whatever, depending on the OS you are running on.)...and if you want to use SSL client authentication, see my project,
django_ssl_authon github.