CSL-109: revert HTTPS-only settings for now.

At the moment we have no easy way to redirect http to https on the live site. See kubernetes/ingress-gce#1075 Until this is fixed, moved HTTPS-only settings to separate settings_https file.
cast-org · May 20, 2020 · a29f49b · a29f49b
1 parent 97de74d
commit a29f49b
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 7 deletions.
diff --git a/src/clusive_project/settings_https.py b/src/clusive_project/settings_https.py
@@ -0,0 +1,48 @@
+"""
+Django settings that require HTTPS only.
+"""
+import os
+
+# SECURITY WARNING: keep the secret key used in production secret!
+# Key not set here; must be set from environment variable.
+SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+# Require HTTPS and secure cookies
+SECURE_SSL_REDIRECT = True
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+
+#######################
+# SECURITY MIDDLEWARE #
+#######################
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
+
+
+ALLOWED_HOSTS = ['clusive.cast.org',
+                 'clusive.qa.cast.org',
+                 'cisl-demo.qa.cast.org',
+                 'localhost',
+                 '127.0.0.1',
+                 '10.*',
+                 '[::1]']
+
+
+# Database
+# https://docs.djangoproject.com/en/2.2/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': os.environ.get('DJANGO_DB_NAME', 'clusive'),
+        'USER': os.environ.get('DJANGO_DB_USER', 'user'),
+        'PASSWORD': os.environ.get('DJANGO_DB_PASSWORD', 'password'),
+        'HOST': os.environ.get('DJANGO_DB_HOST', '127.0.0.1'),
+        'PORT': os.environ.get('DJANGO_DB_PORT', '5432'),
+        'CONN_MAX_AGE': 60,
+    }
+}
diff --git a/src/clusive_project/settings_prod.py b/src/clusive_project/settings_prod.py
@@ -1,7 +1,6 @@
 """
 Django settings for Clusive PRODUCTION and QA servers.
 This file is read when the DJANGO_CONFIG environment variable is set to "prod".
-HTTPS is REQUIRED with these settings.
 """
 import os
 
@@ -12,19 +11,13 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
 
-# Secure cookies mean that HTTPS is REQUIRED for this profile.
-# This avoids the possibility of a session getting hijacked by someone seeing the cookies.
-CSRF_COOKIE_SECURE = True
-SESSION_COOKIE_SECURE = True
-
 #######################
 # SECURITY MIDDLEWARE #
 #######################
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 
 
-
 ALLOWED_HOSTS = ['clusive.cast.org',
                  'clusive.qa.cast.org',
                  'cisl-demo.qa.cast.org',