Django behind an F5 LTM with SSL Offload

This is a short post that describes the changes necessary to make Django work behind an F5 LTM device that has been configured with SSL offload (or SSL client profiles as F5 call them).

I’ll cover a bit of F5 specific configuration, but the principles can be used for most SSL offload devices. This example is using an F5 LTM running 11.3.0, and Django 1.4.5.

First this assumes that you have your django site working, you have added it as a node to an F5 LTM, created a pool and a virtual server using port 80 and you can access the site through the load balancer.

Next you need to enable SSL on your virtual server, and tell Django that it is behind an SSL offload device. You do this by inserting a header into the connection, and telling Django to look for this header. The name of the header is not important, so long as its configured the same on the load balancer as it is within Django. To do this you need to create an F5 HTTP Profile.

django-f5-ssloffload1

On the F5, go to Local Traffic > Profiles > Create… and set the parent profile to “http”.

Tick the box next to “Request Header Insert” and set the following:

HTTP_X_FORWARDED_PROTO:https

django-f5-ssloffload2

Save the profile, and apply it to your virtual server. Make sure you have an SSL Client profile configured and assigned to your virtual server, and that your virtual server is listening on port 443.

Now you need to add the following line to your Django application’s settings.py file.

SECURE_PROXY_SSL_HEADER = (‘HTTP_X_FORWARDED_PROTOCOL’, ‘https’)

To find out a bit more about this setting see: https://docs.djangoproject.com/en/1.4/ref/settings/.

Restart your apache or django runserver and point a browser at your site using HTTPs.

Leave a Reply

Your email address will not be published.