diff --git a/data/etc/apache2/sites-available/plinth-ssl.conf b/data/etc/apache2/sites-available/plinth-ssl.conf index 3638d7c5c..4b6f23ed1 100644 --- a/data/etc/apache2/sites-available/plinth-ssl.conf +++ b/data/etc/apache2/sites-available/plinth-ssl.conf @@ -5,7 +5,8 @@ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - ## Use HTTP Strict Transport Security to force client to use secure connections only + ## Use HTTP Strict Transport Security to force client to use secure + ## connections only Header always set Strict-Transport-Security "max-age=31536000" ## Shared options. @@ -28,7 +29,7 @@ ## Make sure to provide plinth with a default directory: /plinth ProxyPass http://localhost:8000/plinth - ProxyPassReverse http://localhost:8000/plinth + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS Order Deny,Allow Deny from All diff --git a/data/etc/plinth/plinth.config b/data/etc/plinth/plinth.config index 4b7c88616..1ec6846a3 100644 --- a/data/etc/plinth/plinth.config +++ b/data/etc/plinth/plinth.config @@ -22,3 +22,18 @@ pidfile = %(pid_dir)s/plinth.pid [Network] host = 127.0.0.1 port = 8000 + +# Enable the following only if Plinth is behind a proxy server. The +# proxy server should properly clean and the following HTTP headers: +# X-Forwarded-Host +# X-Forwarded-Proto +# If you enable these unnecessarily, this will lead to serious security +# problems. For more information, see +# https://docs.djangoproject.com/en/1.7/ref/settings/ +# +# These are enabled by default in Plinth because the default +# configuration allows only connections from localhost +# +# Leave the values blank to disable +use_x_forwarded_host = True +secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO diff --git a/plinth.config b/plinth.config index 718dd9411..1e001a7c3 100644 --- a/plinth.config +++ b/plinth.config @@ -22,3 +22,18 @@ pidfile = %(pid_dir)s/plinth.pid [Network] host = 127.0.0.1 port = 8000 + +# Enable the following only if Plinth is behind a proxy server. The +# proxy server should properly clean and the following HTTP headers: +# X-Forwarded-Host +# X-Forwarded-Proto +# If you enable these unnecessarily, this will lead to serious security +# problems. For more information, see +# https://docs.djangoproject.com/en/1.7/ref/settings/ +# +# These are enabled by default in Plinth because the default +# configuration allows only connections from localhost +# +# Leave the values blank to disable +use_x_forwarded_host = True +secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO diff --git a/plinth/__main__.py b/plinth/__main__.py index f9854ce36..58b6a0fae 100644 --- a/plinth/__main__.py +++ b/plinth/__main__.py @@ -182,8 +182,13 @@ def configure_django(): 'plinth'] applications += module_loader.get_modules_to_load() sessions_directory = os.path.join(cfg.data_dir, 'sessions') + + secure_proxy_ssl_header = None + if cfg.secure_proxy_ssl_header: + secure_proxy_ssl_header = (cfg.secure_proxy_ssl_header, 'https') + django.conf.settings.configure( - ALLOWED_HOSTS=['127.0.0.1', 'localhost'], + ALLOWED_HOSTS=['*'], CACHES={'default': {'BACKEND': 'django.core.cache.backends.dummy.DummyCache'}}, DATABASES={'default': @@ -205,10 +210,12 @@ def configure_django(): 'plinth.modules.first_boot.middleware.FirstBootMiddleware', ), ROOT_URLCONF='plinth.urls', + SECURE_PROXY_SSL_HEADER=secure_proxy_ssl_header, SESSION_ENGINE='django.contrib.sessions.backends.file', SESSION_FILE_PATH=sessions_directory, STATIC_URL='/'.join([cfg.server_dir, 'static/']).replace('//', '/'), - TEMPLATE_CONTEXT_PROCESSORS=context_processors) + TEMPLATE_CONTEXT_PROCESSORS=context_processors, + USE_X_FORWARDED_HOST=bool(cfg.use_x_forwarded_host)) django.setup() LOGGER.info('Configured Django with applications - %s', applications) diff --git a/plinth/cfg.py b/plinth/cfg.py index 21476d68f..e951b942e 100644 --- a/plinth/cfg.py +++ b/plinth/cfg.py @@ -34,6 +34,8 @@ access_log_file = None pidfile = None host = None port = None +use_x_forwarded_host = False +secure_proxy_ssl_header = None debug = False no_daemon = False server_dir = '/' @@ -75,7 +77,9 @@ def read(): ('Path', 'access_log_file'), ('Path', 'pidfile'), ('Network', 'host'), - ('Network', 'port')} + ('Network', 'port'), + ('Network', 'secure_proxy_ssl_header'), + ('Network', 'use_x_forwarded_host')} for section, name in config_items: try: