-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: Adds details to on how to set up a secure development environment #3111
Open
Afrowave
wants to merge
6
commits into
cookiecutter:master
Choose a base branch
from
Afrowave:local-https-docs
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
ceb7cb5
Add option to serve media files locally using nginx
arrys e9d181a
Fix nginx media location and storage issue
arrys e6d26b1
Add trailing slash in nginx configuration to avoid path traversal exp…
arrys f9c7d5e
Remove autoindexing from nginx configuration so nginx uses its defaul…
arrys b730782
FEATURE: Add Ngnix as a Media Storage for Production
Afrowave e5919f7
DOCS: Clarified and tested out the `HTTPS for local dev` section.
Afrowave File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,6 +31,7 @@ | |
"cloud_provider": [ | ||
"AWS", | ||
"GCP", | ||
"nginx", | ||
"None" | ||
], | ||
"mail_service": [ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -97,8 +97,8 @@ The most important thing for us here now is ``env_file`` section enlisting ``./. | |
|
||
.envs | ||
├── .local | ||
│ ├── .django | ||
│ └── .postgres | ||
├── .django | ||
└── .postgres | ||
└── .production | ||
├── .django | ||
└── .postgres | ||
|
@@ -200,12 +200,14 @@ By default, it's enabled both in local and production environments (``local.yml` | |
|
||
.. _`Flower`: https://github.com/mher/flower | ||
|
||
Developing locally with HTTPS | ||
----------------------------- | ||
**Developing locally with HTTPS** | ||
--------------------------------- | ||
|
||
Increasingly it is becoming necessary to develop software in a secure environment in order that there are very few changes when deploying to production. Recently Facebook changed their policies for apps/sites that use Facebook login which requires the use of an HTTPS URL for the OAuth redirect URL. So if you want to use the ``users`` application with a OAuth provider such as Facebook, securing your communication to the local development environment will be necessary. | ||
It is becoming increasingly necessary to develop software in a secure environment so that there are very few changes when deploying to production. Many social media sites changed their policies for apps/sites that use their OAuth login features. They are now required the use of an HTTPS URL for the redirect URL even for ``localhost`` devloping and testing purposes. | ||
|
||
On order to create a secure environment, we need to have a trusted SSL certficate installed in our Docker application. | ||
So if you want to use the ``users`` application with a OAuth provider such as Facebook, securing your communication to the local development environment will be necessary. | ||
|
||
On order to create a secure environment, we need to have a trusted SSL certficate installed in our development environment. | ||
|
||
#. **Let's Encrypt** | ||
|
||
|
@@ -219,20 +221,61 @@ On order to create a secure environment, we need to have a trusted SSL certficat | |
|
||
#. **mkcert: Valid Https Certificates For Localhost** | ||
|
||
`mkcert`_ is a simple by design tool that hides all the arcane knowledge required to generate valid TLS certificates. It works for any hostname or IP, including localhost. It supports macOS, Linux, and Windows, and Firefox, Chrome and Java. It even works on mobile devices with a couple manual steps. | ||
`mkcert`_ is a simple by design tool that hides all the arcane knowledge required to generate valid TLS certificates. It works for any hostname or IP, including ``localhost``. It supports macOS, Linux, and Windows, and Firefox, Chrome and Java. It even works on mobile devices with a couple manual steps. | ||
|
||
See https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/ | ||
|
||
.. _`mkcert`: https://github.com/FiloSottile/mkcert/blob/master/README.md#supported-root-stores | ||
|
||
After installing a trusted TLS certificate, configure your docker installation. We are going to configure an ``nginx`` reverse-proxy server. This makes sure that it does not interfere with our ``traefik`` configuration that is reserved for production environements. | ||
|
||
These are the places that you should configure to secure your local environment. | ||
|
||
certs | ||
~~~~~ | ||
|
||
Take the certificates that you generated and place them in a folder called ``certs`` on the projects root folder. Assuming that you registered your local hostname as ``my-dev-env.local``, the certificates you will put in the folder should have the names ``my-dev-env.local.crt`` and ``my-dev-env.local.key``. | ||
#. Generate TLS certificates with ``mkcert`` and place the certificates them in a folder in the django project root. We will call our folder ``certs``. | ||
|
||
Assuming that you registered your local hostname as ``my-dev-env``, the certificates you will put in the folder should have the names ``my-dev-env.pem`` and ``my-dev-env-key.pem`` for the certificate and key respectively. | ||
|
||
2. **NOTE:** Modify your ``/etc/hosts`` file to have ``my-dev-env`` as the domain you are serving traffic over HTTPS for. The entry should look something like this: :: | ||
|
||
... | ||
# Local HTTPS domain testing | ||
127.0.0.1 my-dev-env | ||
... | ||
|
||
HTTPS on the local Python install | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
**Django SSL Server** | ||
|
||
`django-sslserver`_ is a small library which adds the ability to run a secure debug server with the certificates we just created with ``mkcert``. | ||
|
||
``pip install django-sslserver`` | ||
|
||
Update your ``config/settings/local.py``. :: | ||
|
||
INSTALLED_APPS = ( | ||
... | ||
'sslserver', | ||
... | ||
) | ||
... | ||
ALLOWED_HOSTS = ["localhost", "0.0.0.0", "127.0.0.1", "my-dev-env"] | ||
|
||
For a particular port choice (ours is ``:8800``), in your terminal, run:: | ||
|
||
python manage.py runsslserver 0.0.0.0:8800 --certificate certs/my-dev-env.pem --key certs/my-dev-env-key.pem | ||
|
||
You should see the secure connection *padlock* on the url ``https://my-dev-env:8800``. | ||
|
||
For more information on this, visit `https://github.com/teddziuba/django-sslserver <https://github.com/teddziuba/django-sslserver>`_. | ||
|
||
.. _`django-sslserver`: https://github.com/teddziuba/django-sslserver | ||
|
||
HTTPS on the local Docker installation | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
Start by placing the ``certs`` folder in the project root. We will then configure an ``nginx`` container so as not to interfere with our ``traefik`` configuration that is reserved for the production environment. The plan is to copy the certificates into the ``nginx`` container that will then be the *reverse-proxy* to our django application. | ||
|
||
These are the places that you should configure to secure your local environment. | ||
|
||
local.yml | ||
~~~~~~~~~ | ||
|
@@ -255,32 +298,39 @@ local.yml | |
- django | ||
|
||
... | ||
#. On the django service, confirm that you are connected to the ``envs`` files and remove/comment out the ``ports``. :: | ||
|
||
... | ||
env_file: | ||
- ./.envs/.local/.django | ||
... | ||
# ports: | ||
# - 8000:8000 | ||
... | ||
|
||
#. Link the ``nginx-proxy`` to ``django`` through environmental variables. | ||
|
||
``django`` already has an ``.env`` file connected to it. Add the following variables. You should do this especially if you are working with a team and you want to keep your local environment details to yourself. | ||
|
||
:: | ||
``django`` already has an ``.envs/.local`` file connected to it. Add the following variables. You should do this especially if you are working with a team and you want to keep your local environment details to yourself. :: | ||
|
||
# HTTPS | ||
# ------------------------------------------------------------------------------ | ||
VIRTUAL_HOST=my-dev-env.local | ||
# ---------------------- | ||
VIRTUAL_HOST=my-dev-env | ||
VIRTUAL_PORT=8000 | ||
|
||
The services run behind the reverse proxy. | ||
The django application and other services will now run behind the reverse proxy. | ||
|
||
config/settings/local.py | ||
~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
You should allow the new hostname. :: | ||
You should *allow* the new hostname . :: | ||
|
||
ALLOWED_HOSTS = ["localhost", "0.0.0.0", "127.0.0.1", "my-dev-env.local"] | ||
ALLOWED_HOSTS = ["localhost", "0.0.0.0", "127.0.0.1", "my-dev-env"] | ||
|
||
Rebuild your ``docker`` application. :: | ||
|
||
$ docker-compose -f local.yml up -d --build | ||
|
||
Go to your browser and type in your URL bar ``https://my-dev-env.local`` | ||
Go to your browser and type in your URL bar ``https://my-dev-env:8800``. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How does the 8800 port apply to the Docker container approach? I think this is a typo and meant for the Django SSL Server approach. |
||
|
||
See `https with nginx`_ for more information on this configuration. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
{{cookiecutter.project_slug}}/compose/production/nginx/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FROM nginx:1.17.8-alpine | ||
COPY ./compose/production/nginx/default.conf /etc/nginx/conf.d/default.conf |
7 changes: 7 additions & 0 deletions
7
{{cookiecutter.project_slug}}/compose/production/nginx/default.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
server { | ||
listen 80; | ||
server_name localhost; | ||
location /media/ { | ||
alias /usr/share/nginx/media/; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
{{cookiecutter.project_slug}}/{{cookiecutter.project_slug}}/contrib/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
""" | ||
To understand why this file is here, please read: | ||
|
||
http://cookiecutter-django.readthedocs.io/en/latest/faq.html#why-is-there-a-django-contrib-sites-directory-in-cookiecutter-django | ||
https://cookiecutter-django.readthedocs.io/en/latest/faq.html#why-is-there-a-django-contrib-sites-directory-in-cookiecutter-django | ||
""" |
2 changes: 1 addition & 1 deletion
2
{{cookiecutter.project_slug}}/{{cookiecutter.project_slug}}/contrib/sites/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
""" | ||
To understand why this file is here, please read: | ||
|
||
http://cookiecutter-django.readthedocs.io/en/latest/faq.html#why-is-there-a-django-contrib-sites-directory-in-cookiecutter-django | ||
https://cookiecutter-django.readthedocs.io/en/latest/faq.html#why-is-there-a-django-contrib-sites-directory-in-cookiecutter-django | ||
""" |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I followed these instructions and needed to keep this configuration in order to get local SSL to work.