Commit cf60b177 authored by Zenon Mousmoulas's avatar Zenon Mousmoulas

Merge pull request #8 from REANNZ/fix-secure

Two minor security fixes: construct secure URLs (for uwsgi, with examples) and
mark cookies as secure
parents 5aa551de 6d829672
......@@ -20,6 +20,11 @@ ALLOWED_HOSTS = []
# Make this unique, and don't share it with anybody.
SECRET_KEY = '<put something really random here, eg. %$#%@#$^2312351345#$%3452345@#$%@#$234#@$hhzdavfsdcFDGVFSDGhn>'
# Check for headers indicating the request was received on a secure SSL connection
# Uncomment this if you are running DjNRO behind an HTTP proxy that sets this
# header for SSL connections (and protects it for non-SSL connections).
# SECURE_PROXY_SSL_HEADER = ('X-Forwarded-Protocol', 'https')
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
......
......@@ -210,7 +210,8 @@ KML_FILE = os.path.join(PROJECT_DIR, 'all.kml')
EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
# Request session cookies to be marked as secure
SESSION_COOKIE_SECURE = True
TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js'
......
......@@ -225,6 +225,17 @@ We suggest using Apache and mod_wsgi. Below is an example configuration::
</Location>
</VirtualHost>
Alternatively, it is possible to use Apache with mod_proxy_http to pass the requests to uwsgi. In that case, the ````WSGIScriptAlias```` directive would be replaced with the following:
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://localhost:3031/
ProxyPassReverse / http://localhost:3031/
# tell DjNRO we have forwarded over SSL
RequestHeader set X-Forwarded-Protocol https
*Info*: It is strongly recommended to allow access to `/(admin|overview|alt-login)` *ONLY* from trusted subnets.
Once you are done, restart apache.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment