I am trying to setup CORS + HTTPS with mod_wsgi and Django but I can not get it to work.
CORS works properly without HTTPS/mod_wsgi but stops working when I try to add HTTPS/mod_wsgi.
For CORS, I use the Django CORS middleware (https://github.com/zestedesavoir/django-cors-middleware)
My Django middleware_classes is the following: (see CorsMiddleware and CorsPostCsrfMiddleware)
MIDDLEWARE_CLASSES = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsPostCsrfMiddleware',
]
I also add the following configuration:
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_ALLOW_ALL = True
I run the Django/wsgi server as follow:
python manage.py runmodwsgi --host 0.0.0.0 --port 8001 --https-port 8000 --ssl-certificate-file ../utils/ssl_cert/local.crt --ssl-certificate-key-file ../utils/ssl_cert/local.key --processes 8 --server-name localhost --https-only --reload-on-changes
Successfully ran command.
Server URL : http://localhost:8001/
Server URL (HTTPS) : https://localhost:8000/
Server Root : /tmp/mod_wsgi-0.0.0.0:8001:1000
Server Conf : /tmp/mod_wsgi-0.0.0.0:8001:1000/httpd.conf
Error Log File : /tmp/mod_wsgi-0.0.0.0:8001:1000/error_log (warn)
Request Capacity : 40 (8 processes * 5 threads)
Request Timeout : 60 (seconds)
Startup Timeout : 15 (seconds)
Queue Backlog : 100 (connections)
Queue Timeout : 45 (seconds)
Server Capacity : 85 (event/worker), 70 (prefork)
Server Backlog : 500 (connections)
Locale Setting : en_US.UTF-8
If I query the HTTPS server with httpie from command line, it works as expected (no CORS issues of course).
If I query the HTTPS server from my web app, I get CORS issue:
OPTIONS https://127.0.0.1:8001/api/v1/auth-token/
XMLHttpRequest cannot load https://127.0.0.1:8001/api/v1/auth-token/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 403.
In addition, the configuration generated for mod_wsgi server doesn't seem to set the headers to allow CORS
Server Conf : /tmp/mod_wsgi-0.0.0.0:8001:1000/httpd.conf
I am new to Django and I am not sure at which level should the CORS for HTTPS be configured.
I tried to configure it in /etc/apache2/sites-enabled/000-default.conf unsuccessfully
<VirtualHost *>
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
Best, Nicolas
Setting /etc/apache2/sites-enabled/000-default.conf does nothing for mod_wsgi-express. They are completely separate, with mod_wsgi-express ignoring any system Apache installation configuration files.
If you need to add that extra Apache httpd configuration directive when using mod_wsgi-express, add it to a file called extra.conf as just:
Header set Access-Control-Allow-Origin "*"
and then run mod_wsgi-express as:
python manage.py runmodwsgi --host 0.0.0.0 --port 8001 --https-port 8000 --ssl-certificate-file ../utils/ssl_cert/local.crt --ssl-certificate-key-file ../utils/ssl_cert/local.key --processes 8 --server-name localhost --https-only --reload-on-changes --include-file extra.conf