Switched both static and api servers over to SSL connection-only. Added self-signed certificate for testing.

2018-12-22 12:48:15 -06:00 · 2018-12-22 12:48:15 -06:00 · 2bdd44e1f6
commit 2bdd44e1f6
parent eee1bfb680
6 changed files with 117 additions and 4 deletions
--- a/app/reimbursinator/settings.py
+++ b/app/reimbursinator/settings.py
@ -118,3 +118,9 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/2.1/howto/static-files/

 STATIC_URL = '/static/'
+
+# SSL Configuration
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_SSL_REDIRECT = True
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
--- a/config/default.conf
+++ b/config/default.conf
@ -0,0 +1,22 @@
+server {
+    server_name localhost;
+    
+    listen 443;
+    
+    ssl on;
+    ssl_certificate /etc/ssl/selfsigned.crt;
+    ssl_certificate_key /etc/ssl/selfsigned.key;
+
+    client_max_body_size 4G;
+
+    error_page   500 502 503 504  /50x.html;
+    
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+}
--- a/config/nginx.conf
+++ b/config/nginx.conf
@ -0,0 +1,32 @@
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
--- a/config/selfsigned.crt
+++ b/config/selfsigned.crt
@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIJANSXcVJxmIYNMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV
+BAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMQwwCgYD
+VQQKDANQU1UwHhcNMTgxMjIyMTczMjMwWhcNMTkxMjIyMTczMjMwWjA/MQswCQYD
+VQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMREwDwYDVQQHDAhQb3J0bGFuZDEMMAoG
+A1UECgwDUFNVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzBLLMprD
+v1BVODoKHrt+QAd1vDuw0UCR61ytWNQSjMWG+rl4MD+gHq/BK4r2RiuC4E+mLe0O
+pEYdyVC2K5BBs5jS8XD+DML66rSNxMaSvBgRtmlWqBEbI14h2uReQmr0v/lKJlqS
+i5UemkdfNZkMy3xPmnRPvbwu4raPbUpTlrKs/lpc6sNKxNWudbsfIocGFbOHTlGE
+y9ii1L2z6Bsfla5yvVujttFw/QsZyImdThDruphI54jS40JG/BDxjwDB8MOAAmrB
+KlvG+GlcdiTBRg0XSeVBp3kBg/O+ImZV4TOlEcdX4g0NzAMIQ3hokhr82H4JXE33
+zcAHb0mVSXCkowIDAQABo1MwUTAdBgNVHQ4EFgQUX3KwNO6WuuYrUgaBvctCMolv
+VH4wHwYDVR0jBBgwFoAUX3KwNO6WuuYrUgaBvctCMolvVH4wDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAP20CbT+Nd+Z5VxW3jzjDRz6eKIQ6cwU0
+9juOh2aTKe3dm3b2Y5Ddg8T6cDIaOjWIt0UeoxdueCC8nmGskrWU9aYHNrxgKff/
+qrWv9hNseslkNyX52J0VhI7bFXs/UWro0ZXcpGhgZy51oFErGvLdpLp02pvaqP6B
+SQOkHLiVGS50l9/GAyHcxFSQ4MCdqyhx3q9QiyFCvmpfCBoBVFjOBS9Ac2XBLoo8
+7p8JplZ5NSazw4if1+ilz/sAzpUyYAgISUuzzFlAPI6tHgN1t6NrbWflKAsV75qc
+/zYm9q2XIGQmr4QN0v8lU/AYavD3HgQ4Jgbxt3MTZRxpVFggKDqnJw==
+-----END CERTIFICATE-----
--- a/config/selfsigned.key
+++ b/config/selfsigned.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMEssymsO/UFU4
+Ogoeu35AB3W8O7DRQJHrXK1Y1BKMxYb6uXgwP6Aer8ErivZGK4LgT6Yt7Q6kRh3J
+ULYrkEGzmNLxcP4MwvrqtI3ExpK8GBG2aVaoERsjXiHa5F5CavS/+UomWpKLlR6a
+R181mQzLfE+adE+9vC7ito9tSlOWsqz+Wlzqw0rE1a51ux8ihwYVs4dOUYTL2KLU
+vbPoGx+VrnK9W6O20XD9CxnIiZ1OEOu6mEjniNLjQkb8EPGPAMHww4ACasEqW8b4
+aVx2JMFGDRdJ5UGneQGD874iZlXhM6URx1fiDQ3MAwhDeGiSGvzYfglcTffNwAdv
+SZVJcKSjAgMBAAECggEBAI4NKvp/tnBOh/OKmw7Hbls9lhu/5RXTf3841MV3Ya4x
+tQKD5gCX2Wpi5vDbWxB/Kyve5Yskb0O0NvmyQAxU7xcH8xXzlDPn6WdE5UYq/2sE
+yheSfaqhtaVJ2gEXY/GRp+qVqaLG+ylEVLgJpGGXtstSLcsS2Yr2GiDf+TiXO1Yy
+rW/jvxLn4svKhdnHdTyYjGvhLzVSkEOv7TJQy0o51l7ORZJI61oxLRMU4Y8qsoeq
+zHv9ij0zgvetBwd2L6SmDYltnDkt8hvIOR0xYM/rkGSV4iaZnERiG+8EyBSIws4V
+T56Nl87fbbmro1HozMStQz4+CqMqnPOU7ZD1v4xYZaECgYEA6Cga2NoqBPSQp8O+
+eWaQGdxFU+rabmw2TmPO52HTLiaxxpKtJmLrPFYd2uF4blosFdOzXXLZaedTtjxl
+mffBPMMfnGYes7Ovj8c/MIs+/7UDQSmXfHy8ButPESX8sCn3bQJ+6GUt25oMxk7H
+UDuJNHS9pszM1yKpJd1aaYswQFMCgYEA4QhR+/MQiL7+uv3lBDZj+YnamfTPNc8T
+Yj0rqmTilj7XNOuwAyqD/93zHhiq32Y1OlXtV3RQ8/wbG2wWZVoD1rr5vpGjt4cO
+mEcWPSCBAIA61tjuEa1Gf1LKW5NIt0rfaha3nja5bQ5CH0oP1WNQPoTGVYX/LUhG
+ED5AOS7CwHECgYBcsX6erOTwG5ISWfaYVFoe6TMJIZFbW3uHaxR2kDmYiLyck33t
+ALv52EyNU08ZiIlnoaJRIoUqYsGq1oyeoCyYjTP251NE3u6vEpfpUv+xa13ES83/
+V3JftN5Z83fkAq2W6dMwCQ35S5XkLBoqr8rFlgMPMWBsWZt90dbCo199nwKBgBNI
+kz3z5kbRlyKO/0ENKCQKHCF1SQxjYlXYyBUh8AjP+cEfMUYULpuOeXbqxjm+mHEX
+S+9imE1QHUKMUJ7+x7Vu8FfUQyNG/4ktDkrOrj9Mvb4LeNsq7g+bGJwgUuriD6MX
+r0RvjBQ8VI452oF+sTGqTxSlFujaeKaLrxU3XJkBAoGBANrzsUqEOQoIv9/KW/ls
+BjXxGyKqrsnIjB7x0GCmncQoeqB3ADPisyxf45Oiz39W/4s3mz9KKpy5EvJAynsZ
+oiWhErOhJoGER/DnziBE4TPUPjibUf7tahIqNOIxd+FJzK4mbOwMmhbpxIfNkdDv
+xyLJt4Bq0TJk5knLD+w9Q0+2
+-----END PRIVATE KEY-----
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -3,20 +3,25 @@ version: '3.6'
 services:
  api:
    build: ./app
-    command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:81
+    command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:444 --keyfile /etc/ssl/selfsigned.key --certfile /etc/ssl/selfsigned.crt
    volumes:
      - ./app/:/usr/src/app/
+      - ./config/selfsigned.key:/etc/ssl/selfsigned.key
+      - ./config/selfsigned.crt:/etc/ssl/selfsigned.crt
    ports:
-      - 8001:81
+      - "8444:444"
    environment:
      - SECRET_KEY=please_change
  web:
    image: nginx:1.10.3
    volumes:
      - ./static:/usr/share/nginx/html
+      - ./config/default.conf:/etc/nginx/conf.d/default.conf
+      - ./config/selfsigned.key:/etc/ssl/selfsigned.key
+      - ./config/selfsigned.crt:/etc/ssl/selfsigned.crt
    ports:
-      - "8000:80"
+      - "8443:443"
    environment:
      - NGINX_HOST=reimbursinator.com
-      - NGINX_PORT=80
+      - NGINX_PORT=443
    command: /bin/bash -c "exec nginx -g 'daemon off;'"