diff --git a/app/reimbursinator/settings.py b/app/reimbursinator/settings.py index fb4838a..7f5c37c 100644 --- a/app/reimbursinator/settings.py +++ b/app/reimbursinator/settings.py @@ -118,3 +118,9 @@ USE_TZ = True # https://docs.djangoproject.com/en/2.1/howto/static-files/ STATIC_URL = '/static/' + +# SSL Configuration +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +SECURE_SSL_REDIRECT = True +SESSION_COOKIE_SECURE = True +CSRF_COOKIE_SECURE = True diff --git a/config/default.conf b/config/default.conf new file mode 100644 index 0000000..afe9949 --- /dev/null +++ b/config/default.conf @@ -0,0 +1,22 @@ +server { + server_name localhost; + + listen 443; + + ssl on; + ssl_certificate /etc/ssl/selfsigned.crt; + ssl_certificate_key /etc/ssl/selfsigned.key; + + client_max_body_size 4G; + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } +} diff --git a/config/nginx.conf b/config/nginx.conf new file mode 100644 index 0000000..e4bad8d --- /dev/null +++ b/config/nginx.conf @@ -0,0 +1,32 @@ + +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/config/selfsigned.crt b/config/selfsigned.crt new file mode 100644 index 0000000..6ec4a31 --- /dev/null +++ b/config/selfsigned.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVDCCAjygAwIBAgIJANSXcVJxmIYNMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV +BAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMQwwCgYD +VQQKDANQU1UwHhcNMTgxMjIyMTczMjMwWhcNMTkxMjIyMTczMjMwWjA/MQswCQYD +VQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMREwDwYDVQQHDAhQb3J0bGFuZDEMMAoG +A1UECgwDUFNVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzBLLMprD +v1BVODoKHrt+QAd1vDuw0UCR61ytWNQSjMWG+rl4MD+gHq/BK4r2RiuC4E+mLe0O +pEYdyVC2K5BBs5jS8XD+DML66rSNxMaSvBgRtmlWqBEbI14h2uReQmr0v/lKJlqS +i5UemkdfNZkMy3xPmnRPvbwu4raPbUpTlrKs/lpc6sNKxNWudbsfIocGFbOHTlGE +y9ii1L2z6Bsfla5yvVujttFw/QsZyImdThDruphI54jS40JG/BDxjwDB8MOAAmrB +KlvG+GlcdiTBRg0XSeVBp3kBg/O+ImZV4TOlEcdX4g0NzAMIQ3hokhr82H4JXE33 +zcAHb0mVSXCkowIDAQABo1MwUTAdBgNVHQ4EFgQUX3KwNO6WuuYrUgaBvctCMolv +VH4wHwYDVR0jBBgwFoAUX3KwNO6WuuYrUgaBvctCMolvVH4wDwYDVR0TAQH/BAUw +AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAP20CbT+Nd+Z5VxW3jzjDRz6eKIQ6cwU0 +9juOh2aTKe3dm3b2Y5Ddg8T6cDIaOjWIt0UeoxdueCC8nmGskrWU9aYHNrxgKff/ +qrWv9hNseslkNyX52J0VhI7bFXs/UWro0ZXcpGhgZy51oFErGvLdpLp02pvaqP6B +SQOkHLiVGS50l9/GAyHcxFSQ4MCdqyhx3q9QiyFCvmpfCBoBVFjOBS9Ac2XBLoo8 +7p8JplZ5NSazw4if1+ilz/sAzpUyYAgISUuzzFlAPI6tHgN1t6NrbWflKAsV75qc +/zYm9q2XIGQmr4QN0v8lU/AYavD3HgQ4Jgbxt3MTZRxpVFggKDqnJw== +-----END CERTIFICATE----- diff --git a/config/selfsigned.key b/config/selfsigned.key new file mode 100644 index 0000000..93d74a0 --- /dev/null +++ b/config/selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMEssymsO/UFU4 +Ogoeu35AB3W8O7DRQJHrXK1Y1BKMxYb6uXgwP6Aer8ErivZGK4LgT6Yt7Q6kRh3J +ULYrkEGzmNLxcP4MwvrqtI3ExpK8GBG2aVaoERsjXiHa5F5CavS/+UomWpKLlR6a +R181mQzLfE+adE+9vC7ito9tSlOWsqz+Wlzqw0rE1a51ux8ihwYVs4dOUYTL2KLU +vbPoGx+VrnK9W6O20XD9CxnIiZ1OEOu6mEjniNLjQkb8EPGPAMHww4ACasEqW8b4 +aVx2JMFGDRdJ5UGneQGD874iZlXhM6URx1fiDQ3MAwhDeGiSGvzYfglcTffNwAdv +SZVJcKSjAgMBAAECggEBAI4NKvp/tnBOh/OKmw7Hbls9lhu/5RXTf3841MV3Ya4x +tQKD5gCX2Wpi5vDbWxB/Kyve5Yskb0O0NvmyQAxU7xcH8xXzlDPn6WdE5UYq/2sE +yheSfaqhtaVJ2gEXY/GRp+qVqaLG+ylEVLgJpGGXtstSLcsS2Yr2GiDf+TiXO1Yy +rW/jvxLn4svKhdnHdTyYjGvhLzVSkEOv7TJQy0o51l7ORZJI61oxLRMU4Y8qsoeq +zHv9ij0zgvetBwd2L6SmDYltnDkt8hvIOR0xYM/rkGSV4iaZnERiG+8EyBSIws4V +T56Nl87fbbmro1HozMStQz4+CqMqnPOU7ZD1v4xYZaECgYEA6Cga2NoqBPSQp8O+ +eWaQGdxFU+rabmw2TmPO52HTLiaxxpKtJmLrPFYd2uF4blosFdOzXXLZaedTtjxl +mffBPMMfnGYes7Ovj8c/MIs+/7UDQSmXfHy8ButPESX8sCn3bQJ+6GUt25oMxk7H +UDuJNHS9pszM1yKpJd1aaYswQFMCgYEA4QhR+/MQiL7+uv3lBDZj+YnamfTPNc8T +Yj0rqmTilj7XNOuwAyqD/93zHhiq32Y1OlXtV3RQ8/wbG2wWZVoD1rr5vpGjt4cO +mEcWPSCBAIA61tjuEa1Gf1LKW5NIt0rfaha3nja5bQ5CH0oP1WNQPoTGVYX/LUhG +ED5AOS7CwHECgYBcsX6erOTwG5ISWfaYVFoe6TMJIZFbW3uHaxR2kDmYiLyck33t +ALv52EyNU08ZiIlnoaJRIoUqYsGq1oyeoCyYjTP251NE3u6vEpfpUv+xa13ES83/ +V3JftN5Z83fkAq2W6dMwCQ35S5XkLBoqr8rFlgMPMWBsWZt90dbCo199nwKBgBNI +kz3z5kbRlyKO/0ENKCQKHCF1SQxjYlXYyBUh8AjP+cEfMUYULpuOeXbqxjm+mHEX +S+9imE1QHUKMUJ7+x7Vu8FfUQyNG/4ktDkrOrj9Mvb4LeNsq7g+bGJwgUuriD6MX +r0RvjBQ8VI452oF+sTGqTxSlFujaeKaLrxU3XJkBAoGBANrzsUqEOQoIv9/KW/ls +BjXxGyKqrsnIjB7x0GCmncQoeqB3ADPisyxf45Oiz39W/4s3mz9KKpy5EvJAynsZ +oiWhErOhJoGER/DnziBE4TPUPjibUf7tahIqNOIxd+FJzK4mbOwMmhbpxIfNkdDv +xyLJt4Bq0TJk5knLD+w9Q0+2 +-----END PRIVATE KEY----- diff --git a/docker-compose.yml b/docker-compose.yml index f9c5ffc..9b8a9e2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,20 +3,25 @@ version: '3.6' services: api: build: ./app - command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:81 + command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:444 --keyfile /etc/ssl/selfsigned.key --certfile /etc/ssl/selfsigned.crt volumes: - ./app/:/usr/src/app/ + - ./config/selfsigned.key:/etc/ssl/selfsigned.key + - ./config/selfsigned.crt:/etc/ssl/selfsigned.crt ports: - - 8001:81 + - "8444:444" environment: - SECRET_KEY=please_change web: image: nginx:1.10.3 volumes: - ./static:/usr/share/nginx/html + - ./config/default.conf:/etc/nginx/conf.d/default.conf + - ./config/selfsigned.key:/etc/ssl/selfsigned.key + - ./config/selfsigned.crt:/etc/ssl/selfsigned.crt ports: - - "8000:80" + - "8443:443" environment: - NGINX_HOST=reimbursinator.com - - NGINX_PORT=80 + - NGINX_PORT=443 command: /bin/bash -c "exec nginx -g 'daemon off;'"