SSL Security (HTTPS) in Django one-click-install configuration

Hello All, I am quite new to server administration, especially on Linux, but if I understand correctly the Droplet I created with DO’s Django one-click-install is set up so the only Nginx is exposed, and it both servers static files and works as a Proxy for Guincorn, which handles all Django pages.

According to Django Doc (, when Django is served behind a proxy, I need to set the SECURE_PROXY_SSL_HEADER (in my

Also Django Doc has this BIG WARNING where it says I have to make sure that:

    • Your proxy strips the X-Forwarded-Proto header from all incoming requests. In other words, if end users include that header in their requests, the proxy will discard it.
  • Your proxy sets the X-Forwarded-Proto header and sends it to Django, but only for requests that originally come in via HTTPS.*

How do I do that? And how do I do that “properly”, avoiding any security holes?

Following is my Nginx settings file (Based on DO’s guides I found). I do not understand completely the “location” block, toward the end… is it properly configured for secure HTTPS? (proxy_redirect is off, and proxy_pass set to non-secure address http://app_server, which I do not understand, does it have to do with Guinicorn?)

Thanks for any help might provide :)

  upstream app_server {
    server fail_timeout=0;

  # redirect all requests to SSL
  server {
    # v.  requests-to-https-while-maintaining-sub-dom

    listen 80;
    listen [::]:80 ipv6only=on;

    return 301 https://$host$request_uri;

  # SSL
  server {
    listen 443 default_server;
    listen [::]:443 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 4G;

    keepalive_timeout 5;

    # Use HTTP Strict Transport Security (HSTS)
    #  v. Django Doc:
    #  v.
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # Your Django project's media files - amend as required
    location /media  {
        alias /home/django/MyMemoProject/MyMemoProject/media;

    # your Django project's static files - amend as required
    location /static {
        alias /home/django/MyMemoProject/static;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://app_server;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

This question was answered by @cattiveria:

I just found someone who had the same problem a couple of years ago. If this ( is still valid, my solution would simply be to add to the “location” block of my config file this line:

proxy_set_header X-Forwarded-Proto $scheme;

Is this correct? Also, even if adding the ling is enough, any better clarification/explanation is more than welcome. As I still do not understand how everything comes together, and leaving security holes is quite easy, being ignorant ;)

Thanks again!

View the original comment