110swag / flashy-backend

Download as
Browse Code ยป

Commit 389697e2816efcb2d862d22394d1c30a25c297ab

Authored by Andrew Buss
1 parent 067b98230b
Exists in master

Embiggened security settings. Pay attention to X-Forwarded-Proto

Showing 2 changed files with 3 additions and 0 deletions Inline Diff

flashy/settings.py View file @ 389697e
# Build paths inside the project like this: os.path.join(BASE_DIR, ...) 1 1 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
import os 2 2 import os
3 3
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) 4 4 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
5 5
IN_PRODUCTION = 'FLASHY_PRODUCTION' in os.environ 6 6 IN_PRODUCTION = 'FLASHY_PRODUCTION' in os.environ
7 7
DEBUG = not IN_PRODUCTION 8 8 DEBUG = not IN_PRODUCTION
9 9
ALLOWED_HOSTS = [] 10 10 ALLOWED_HOSTS = []
11 11
AUTH_USER_MODEL = 'flashcards.User' 12 12 AUTH_USER_MODEL = 'flashcards.User'
13 13
INSTALLED_APPS = ( 14 14 INSTALLED_APPS = (
'simple_email_confirmation', 15 15 'simple_email_confirmation',
'flashcards', 16 16 'flashcards',
'django.contrib.admin', 17 17 'django.contrib.admin',
'django.contrib.admindocs', 18 18 'django.contrib.admindocs',
'django.contrib.auth', 19 19 'django.contrib.auth',
'django.contrib.contenttypes', 20 20 'django.contrib.contenttypes',
'django.contrib.sessions', 21 21 'django.contrib.sessions',
'django.contrib.messages', 22 22 'django.contrib.messages',
'django.contrib.staticfiles', 23 23 'django.contrib.staticfiles',
'django_ses', 24 24 'django_ses',
'rest_framework_swagger', 25 25 'rest_framework_swagger',
'rest_framework', 26 26 'rest_framework',
) 27 27 )
28 28
REST_FRAMEWORK = { 29 29 REST_FRAMEWORK = {
'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.CursorPagination', 30 30 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.CursorPagination',
'PAGE_SIZE': 20 31 31 'PAGE_SIZE': 20
} 32 32 }
33 33
MIDDLEWARE_CLASSES = ( 34 34 MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware', 35 35 'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware', 36 36 'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware', 37 37 'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware', 38 38 'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 39 39 'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware', 40 40 'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware', 41 41 'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware', 42 42 'django.middleware.security.SecurityMiddleware',
) 43 43 )
44 44
ROOT_URLCONF = 'flashy.urls' 45 45 ROOT_URLCONF = 'flashy.urls'
46 46
AUTHENTICATION_BACKENDS = ( 47 47 AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend', 48 48 'django.contrib.auth.backends.ModelBackend',
) 49 49 )
50 50
TEMPLATES = [ 51 51 TEMPLATES = [
{ 52 52 {
'BACKEND': 'django.template.backends.django.DjangoTemplates', 53 53 'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': ['templates/'], 54 54 'DIRS': ['templates/'],
'APP_DIRS': True, 55 55 'APP_DIRS': True,
'OPTIONS': { 56 56 'OPTIONS': {
'context_processors': [ 57 57 'context_processors': [
'django.template.context_processors.debug', 58 58 'django.template.context_processors.debug',
'django.template.context_processors.request', 59 59 'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth', 60 60 'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages', 61 61 'django.contrib.messages.context_processors.messages',
], 62 62 ],
}, 63 63 },
}, 64 64 },
] 65 65 ]
66 66
WSGI_APPLICATION = 'flashy.wsgi.application' 67 67 WSGI_APPLICATION = 'flashy.wsgi.application'
68 68
DATABASES = { 69 69 DATABASES = {
'default': { 70 70 'default': {
'ENGINE': 'django.db.backends.sqlite3', 71 71 'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), 72 72 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
} 73 73 }
} 74 74 }
75 75
LANGUAGE_CODE = 'en-us' 76 76 LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'America/Los_Angeles' 77 77 TIME_ZONE = 'America/Los_Angeles'
USE_I18N = True 78 78 USE_I18N = True
USE_L10N = True 79 79 USE_L10N = True
USE_TZ = True 80 80 USE_TZ = True
81 81
STATIC_URL = '/static/' 82 82 STATIC_URL = '/static/'
STATIC_ROOT = 'static' 83 83 STATIC_ROOT = 'static'
84 84
# Four settings just to be sure 85 85 # Four settings just to be sure
EMAIL_FROM = 'noreply@flashy.cards' 86 86 EMAIL_FROM = 'noreply@flashy.cards'
EMAIL_HOST_USER = 'noreply@flashy.cards' 87 87 EMAIL_HOST_USER = 'noreply@flashy.cards'
nginxconf/flashy.cards View file @ 389697e
upstream backend_production { 1 1 upstream backend_production {
# server unix:/tmp/flashy.sock; 2 2 # server unix:/tmp/flashy.sock;
server localhost:7001; 3 3 server localhost:7001;
} 4 4 }
5 5
server { 6 6 server {
server_name flashy.cards; 7 7 server_name flashy.cards;
listen 443 ssl; 8 8 listen 443 ssl;
location / { 9 9 location / {
root /srv/flashy.cards/; 10 10 root /srv/flashy.cards/;
} 11 11 }
12 12
location ^~ /static { 13 13 location ^~ /static {
root /srv/; 14 14 root /srv/;
access_log off; 15 15 access_log off;
expires 30d; 16 16 expires 30d;
} 17 17 }
18 18
location ^~ /app { 19 19 location ^~ /app {
alias /srv/flashy-frontend; 20 20 alias /srv/flashy-frontend;
} 21 21 }
22 22
location ~ /(api|admin|api-auth)/ { 23 23 location ~ /(api|admin|api-auth)/ {
proxy_pass http://backend_production; 24 24 proxy_pass http://backend_production;
proxy_redirect http://backend_production $scheme://flashy.cards; 25 25 proxy_redirect http://backend_production $scheme://flashy.cards;
proxy_set_header Host $host; 26 26 proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; 27 27 proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 28 28 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
29 proxy_set_header X-Forwarded-Proto $scheme;
} 29 30 }
30 31
location ^~ /jenkins { 31 32 location ^~ /jenkins {
proxy_pass http://localhost:8080; 32 33 proxy_pass http://localhost:8080;
proxy_redirect http://localhost:8080 $scheme://flashy.cards; 33 34 proxy_redirect http://localhost:8080 $scheme://flashy.cards;
proxy_set_header Host $host; 34 35 proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; 35 36 proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 36 37 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
38 proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90; 37 39 proxy_read_timeout 90;
} 38 40 }
ssl_certificate /etc/nginx/ssl/bundle.crt; 39 41 ssl_certificate /etc/nginx/ssl/bundle.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key; 40 42 ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 41 43 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; 42 44 ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on; 43 45 ssl_prefer_server_ciphers on;
keepalive_timeout 70; 44 46 keepalive_timeout 70;
ssl_session_cache shared:SSL:10m; 45 47 ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; 46 48 ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=259200"; 47 49 add_header Strict-Transport-Security "max-age=259200";
} 48 50 }