1、django.middleware.common.CommonMiddleware
功能:通用中间件,会处理一些URL,比如baidu.com会自动的处理成www.baidu.com。比如/blog/111会处理成/blog/111/自动加上反斜杠,还有能对User-Agent进行限制:限制settings.DISALLOWED_USER_AGENTS中指定的请求头来访问本网站。DISALLOWED_USER_AGENTS是一个正则表达式列表。
实例代码:
import re
DISALLOWED_USER_AGENTS = [
re.compile(r'^\s$|^$') 空白字符或空字符
re.compile(r'.*PhantomJS.*') 包含PhantomJS
]
但是,如果请求中不带User-Agent字段,就不能进行检验,因此要自定义中间件。
def process_request(self, request):
"""
Check for denied User-Agents and rewrite the URL based on
settings.APPEND_SLASH and settings.PREPEND_WWW
"""
#检查User-Agents
# Check for denied User-Agents
if 'HTTP_USER_AGENT' in request.META:
for user_agent_regex in settings.DISALLOWED_USER_AGENTS:
if user_agent_regex.search(request.META['HTTP_USER_AGENT']):
raise PermissionDenied('Forbidden user agent')
#检查WWW,没有就给你添加
# Check for a redirect based on settings.PREPEND_WWW
host = request.get_host()
must_prepend = settings.PREPEND_WWW and host and not host.startswith('www.')
redirect_url = ('%s://www.%s' % (request.scheme, host)) if must_prepend else ''
#检查是否应附加斜线
# Check if a slash should be appended
if self.should_redirect_with_slash(request):
path = self.get_full_path_with_slash(request)
else:
path = request.get_full_path()
#必要时返回重定向
# Return a redirect if necessary
if redirect_url or path != request.get_full_path():
redirect_url += path
return self.response_redirect_class(redirect_url)
2、django.middleware.gzip.GZipMiddleware
功能:将响应数据进行压缩,如果内容长度少于200字符,那么就不会压缩。
class GZipMiddleware(MiddlewareMixin):
"""
Compress content if the browser allows gzip compression.
Set the Vary header accordingly, so that caches will base their storage
on the Accept-Encoding header.
"""
def process_response(self, request, response):
# It's not worth attempting to compress really short responses.
if not response.streaming and len(response.content) < 200:
return response
# Avoid gzipping if we've already got a content-encoding.
if response.has_header('Content-Encoding'):
return response
patch_vary_headers(response, ('Accept-Encoding',))
ae = request.META.get('HTTP_ACCEPT_ENCODING', '')
if not re_accepts_gzip.search(ae):
return response
if response.streaming:
# Delete the `Content-Length` header for streaming content, because
# we won't know the compressed size until we stream it.
response.streaming_content = compress_sequence(response.streaming_content)
del response['Content-Length']
else:
# Return the compressed content only if it's actually shorter.
compressed_content = compress_string(response.content)
if len(compressed_content) >= len(response.content):
return response
response.content = compressed_content
response['Content-Length'] = str(len(response.content))
# If there is a strong ETag, make it weak to fulfill the requirements
# of RFC 7232 section-2.1 while also allowing conditional request
# matches on ETags.
etag = response.get('ETag')
if etag and etag.startswith('"'):
response['ETag'] = 'W/' + etag
response['Content-Encoding'] = 'gzip'
return response
3、django.contrib.messages.middleware.MessageMiddleware
功能:消息中间件。展示一些后台信息给前端页面。如果需要用到消息,还需要在INSTALLED_APPS中添加django.contrib.message才能有效。如果不需要,可以把这两个都删除。
4、django.middleware.security.SecurityMiddleware
功能:做了一些安全处理的中间件。比如xss防御的请求头,比如做了http协议转https协议的工作等。
SECURE_SSL_REDIRECT = True # 所有的HTTP将重定向到HTTPS
5、django.contrib.sessions.middleware.SessionMiddleware
功能:session支持中间件,加入这个中间件,会给request对象添加一个处理好的session对象。
class SessionMiddleware(MiddlewareMixin):
def __init__(self, get_response=None):
self.get_response = get_response
engine = import_module(settings.SESSION_ENGINE)
self.SessionStore = engine.SessionStore
#从session中拿到数据赋值给request.session
def process_request(self, request):
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
request.session = self.SessionStore(session_key)
... ...
6、django.contrib.auth.middleware.AuthenticationMiddleware
功能:会给request添加一个user对象的中间件。
class AuthenticationMiddleware(MiddlewareMixin):
def process_request(self, request):
assert hasattr(request, 'session'), (
"The Django authentication middleware requires session middleware "
"to be installed. Edit your MIDDLEWARE%s setting to insert "
"'django.contrib.sessions.middleware.SessionMiddleware' before "
"'django.contrib.auth.middleware.AuthenticationMiddleware'."
) % ("_CLASSES" if settings.MIDDLEWARE is None else "")
#赋值给request的user属性
request.user = SimpleLazyObject(lambda: get_user(request))
7、django.middleware.csrf.CsrfViewMiddleware
功能:进行csrf校验
#返回一个tokon值
def get_token(request):
"""
Return the CSRF token required for a POST form. The token is an
alphanumeric value. A new token is created if one is not already set.
A side effect of calling this function is to make the csrf_protect
decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
header to the outgoing response. For this reason, you may need to use this
function lazily, as is done by the csrf context processor.
"""
if "CSRF_COOKIE" not in request.META:
csrf_secret = _get_new_csrf_string()
request.META["CSRF_COOKIE"] = _salt_cipher_secret(csrf_secret)
else:
csrf_secret = _unsalt_cipher_token(request.META["CSRF_COOKIE"])
request.META["CSRF_COOKIE_USED"] = True
return _salt_cipher_secret(csrf_secret)
8、django.middleware.clickjacking.XFrameOptionsMiddleware
功能:防止通过浏览器页面跨Frame出现clickjacking(欺骗点击)攻击出现。
9、缓存中间件django.middleware.cache.UpdateCacheMiddleware, django.middleware.cache.FetchFromCacheMiddleware
功能:用来缓存一些页面
中间件放置顺序:因为有些中间件是需要前面的中间件中的一些变量的,所以必须要按一定的顺序才能够运行。
内置中间件放置顺序:
1、SecurityMiddleware : 应该放到最前面。首先这个中间件执行不依赖任何其他的中间件,其次如果你的网站支持http和https两种协议,可以处理http请求转化为https请求,就没必要处理完其他中间件后再重定向到https协议,那样可能会浪费,执行效率更快。
2、UpdateCacheMiddleware :应该在SessionMiddleware,GZipMiddleware,LocaleMiddleware之前
3、GZipMiddleware
4、ConditionalGetMiddleware
5、SessionMiddleware
6、LocaleMiddleware
7、CommonMiddleware
8、CsrfViewMiddleware
9、AuthenticationMiddleware
10、MessageMiddleware
11、FetchFromCacheMiddleware
12、FlatpageFallbackMiddleware
13、RedirectFallbackMiddleware