diff --git a/opentech/settings/base.py b/opentech/settings/base.py
index a4263ea3152afeef632d93dc7fd199545c0adc7f..fe9ac09d111841c91408a2e6d9314b0a31286658 100644
--- a/opentech/settings/base.py
+++ b/opentech/settings/base.py
@@ -18,6 +18,45 @@ BASE_DIR = os.path.dirname(PROJECT_DIR)
APP_NAME = env.get('APP_NAME', 'opentech')
+DEBUG = False
+
+
+if 'SECRET_KEY' in env:
+ SECRET_KEY = env['SECRET_KEY']
+
+if 'ALLOWED_HOSTS' in env:
+ ALLOWED_HOSTS = env['ALLOWED_HOSTS'].split(',')
+
+
+# Email settings
+if 'EMAIL_HOST' in env:
+ EMAIL_HOST = env['EMAIL_HOST']
+
+if 'EMAIL_PORT' in env:
+ try:
+ EMAIL_PORT = int(env['EMAIL_PORT'])
+ except ValueError:
+ pass
+
+if 'EMAIL_HOST_USER' in env:
+ EMAIL_HOST_USER = env['EMAIL_HOST_USER']
+
+if 'EMAIL_HOST_PASSWORD' in env:
+ EMAIL_HOST_PASSWORD = env['EMAIL_HOST_PASSWORD']
+
+if env.get('EMAIL_USE_TLS', 'false').lower().strip() == 'true':
+ EMAIL_USE_TLS = True
+
+if env.get('EMAIL_USE_SSL', 'false').lower().strip() == 'true':
+ EMAIL_USE_SSL = True
+
+if 'EMAIL_SUBJECT_PREFIX' in env:
+ EMAIL_SUBJECT_PREFIX = env['EMAIL_SUBJECT_PREFIX']
+
+if 'SERVER_EMAIL' in env:
+ SERVER_EMAIL = DEFAULT_FROM_EMAIL = env['SERVER_EMAIL']
+
+
# Application definition
INSTALLED_APPS = [
@@ -148,14 +187,28 @@ DATABASES = {
# Cache
-# Use database cache as the cache backend
-
-CACHES = {
- 'default': {
- 'BACKEND': 'django.core.cache.backends.db.DatabaseCache',
- 'LOCATION': 'database_cache',
+if 'REDIS_URL' in env:
+ CACHES = {
+ "default": {
+ "BACKEND": "django_redis.cache.RedisCache",
+ "LOCATION": env['REDIS_URL'],
+ }
}
-}
+else:
+ CACHES = {
+ 'default': {
+ 'BACKEND': 'django.core.cache.backends.db.DatabaseCache',
+ 'LOCATION': 'database_cache',
+ }
+ }
+
+
+# Set s-max-age header that is used by reverse proxy/front end cache. See
+# urls.py
+try:
+ CACHE_CONTROL_S_MAXAGE = int(env.get('CACHE_CONTROL_S_MAXAGE', 600))
+except ValueError:
+ pass
# Search
@@ -326,8 +379,8 @@ SOCIAL_AUTH_URL_NAMESPACE = 'social'
# Make sure the Google+ API is enabled for your API project
STAFF_EMAIL_DOMAINS = ['opentech.fund']
SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = STAFF_EMAIL_DOMAINS
-SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = ''
-SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = ''
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', '')
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', '')
SOCIAL_AUTH_LOGIN_ERROR_URL = 'users_public:login'
SOCIAL_AUTH_NEW_ASSOCIATION_REDIRECT_URL = 'users:account'
@@ -450,3 +503,60 @@ if 'SENTRY_DSN' in env:
RAVEN_CONFIG['release'] = env['GIT_REV']
except KeyError:
pass
+
+
+# Basic auth settings
+if env.get('BASIC_AUTH_ENABLED', 'false').lower().strip() == 'true':
+ MIDDLEWARE.insert(0, 'baipw.middleware.BasicAuthIPWhitelistMiddleware')
+ BASIC_AUTH_LOGIN = env['BASIC_AUTH_LOGIN']
+ BASIC_AUTH_PASSWORD = env['BASIC_AUTH_PASSWORD']
+ if 'BASIC_AUTH_WHITELISTED_HTTP_HOSTS' in env:
+ BASIC_AUTH_WHITELISTED_HTTP_HOSTS = (
+ env['BASIC_AUTH_WHITELISTED_HTTP_HOSTS'].split(',')
+ )
+
+
+# Cloudflare cache
+if 'CLOUDFLARE_API_TOKEN' in env:
+ INSTALLED_APPS += ('wagtail.contrib.frontend_cache', ) # noqa
+ WAGTAILFRONTENDCACHE = {
+ 'cloudflare': {
+ 'BACKEND': 'wagtail.contrib.frontend_cache.backends.CloudflareBackend',
+ 'EMAIL': env['CLOUDFLARE_API_EMAIL'],
+ 'TOKEN': env['CLOUDFLARE_API_TOKEN'],
+ 'ZONEID': env['CLOUDFLARE_API_ZONEID'],
+ },
+ }
+
+
+if 'PRIMARY_HOST' in env:
+ # This is used by Wagtail's email notifications for constructing absolute
+ # URLs.
+ BASE_URL = 'https://{}'.format(env['PRIMARY_HOST'])
+
+
+# Security configuration
+# https://docs.djangoproject.com/en/stable/ref/middleware/#module-django.middleware.security
+
+if env.get('SECURE_SSL_REDIRECT', 'true').strip().lower() == 'true':
+ SECURE_SSL_REDIRECT = True
+
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
+if 'SECURE_HSTS_SECONDS' in env:
+ try:
+ SECURE_HSTS_SECONDS = int(env['SECURE_HSTS_SECONDS'])
+ pass
+
+if env.get('SECURE_BROWSER_XSS_FILTER', 'true').lower().strip() == 'true':
+ SECURE_BROWSER_XSS_FILTER = True
+
+if env.get('SECURE_CONTENT_TYPE_NOSNIFF', 'true').lower().strip() == 'true':
+ SECURE_CONTENT_TYPE_NOSNIFF = True
+
+
+# Referrer-policy header settings
+# https://django-referrer-policy.readthedocs.io/en/1.0/
+
+REFERRER_POLICY = env.get('SECURE_REFERRER_POLICY',
+ 'no-referrer-when-downgrade').strip()
diff --git a/opentech/settings/dev.py b/opentech/settings/dev.py
index 200b3d77d3e34e27ebd475e9052c256b490be5b0..b6277f0661144779c4d316f69c257a2e8844d341 100644
--- a/opentech/settings/dev.py
+++ b/opentech/settings/dev.py
@@ -20,6 +20,8 @@ INSTALLED_APPS = INSTALLED_APPS + [
'wagtail.contrib.styleguide',
]
+SECURE_SSL_REDIRECT = False
+
try:
from .local import * # noqa
except ImportError:
diff --git a/opentech/settings/production.py b/opentech/settings/production.py
index 837650ecb04bd5f13f2c377bd122c5ec52255059..0ecfc47c70ee824a187c76a54da64c150750719a 100644
--- a/opentech/settings/production.py
+++ b/opentech/settings/production.py
@@ -1,54 +1,19 @@
import os
-import dj_database_url
# import raven
import django_heroku
from .base import * # noqa
-# Do not set SECRET_KEY, Postgres or LDAP password or any other sensitive data here.
-# Instead, use environment variables or create a local.py file on the server.
-
# Disable debug mode
DEBUG = False
-# Cache everything for 10 minutes
-# This only applies to pages that do not have a more specific cache-control
-# setting. See urls.py
-CACHE_CONTROL_MAX_AGE = 600
-
-
# Configuration from environment variables
# Alternatively, you can set these in a local.py file on the server
env = os.environ.copy()
# Basic configuration
-if env.get('SECURE_SSL_REDIRECT', 'true') == 'true':
- SECURE_SSL_REDIRECT = True
-SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
-# enable HSTS only once the site is working properly on https with the actual live domain name
-# SECURE_HSTS_SECONDS = 31536000 # 1 year
-
-if 'SECRET_KEY' in env:
- SECRET_KEY = env['SECRET_KEY']
-
-if 'ALLOWED_HOSTS' in env:
- ALLOWED_HOSTS = env['ALLOWED_HOSTS'].split(',')
-
-if 'PRIMARY_HOST' in env:
- BASE_URL = 'https://%s/' % env['PRIMARY_HOST']
-
-
-# Email config
-
-if 'SERVER_EMAIL' in env:
- SERVER_EMAIL = env['SERVER_EMAIL']
- DEFAULT_FROM_EMAIL = env['SERVER_EMAIL']
-
-if 'EMAIL_HOST' in env:
- EMAIL_HOST = env['EMAIL_HOST']
-
if 'MAILGUN_API_KEY' in env:
EMAIL_BACKEND = 'anymail.backends.mailgun.EmailBackend'
ANYMAIL = {
@@ -57,41 +22,6 @@ if 'MAILGUN_API_KEY' in env:
"WEBHOOK_SECRET": env.get('ANYMAIL_WEBHOOK_SECRET', None)
}
-# Social Auth
-
-if 'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY' in env:
- SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env['SOCIAL_AUTH_GOOGLE_OAUTH2_KEY']
-
-if 'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET' in env:
- SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env['SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET']
-
-# Basic auth to stop access to other than primary hosts.
-
-MIDDLEWARE += [
- 'baipw.middleware.BasicAuthIPWhitelistMiddleware'
-]
-
-if 'BASIC_AUTH_LOGIN' in env:
- BASIC_AUTH_LOGIN = env['BASIC_AUTH_LOGIN']
-
-if 'BASIC_AUTH_PASSWORD' in env:
- BASIC_AUTH_PASSWORD = env['BASIC_AUTH_PASSWORD']
-
-if 'BASIC_AUTH_WHITELISTED_HTTP_HOSTS' in env:
- BASIC_AUTH_WHITELISTED_HTTP_HOSTS = env['BASIC_AUTH_WHITELISTED_HTTP_HOSTS'].split(',')
-
-# Cloudflare cache
-
-if 'CLOUDFLARE_API_TOKEN' in env:
- INSTALLED_APPS += ('wagtail.contrib.frontend_cache', ) # noqa
- WAGTAILFRONTENDCACHE = {
- 'cloudflare': {
- 'BACKEND': 'wagtail.contrib.frontend_cache.backends.CloudflareBackend',
- 'EMAIL': env['CLOUDFLARE_API_EMAIL'],
- 'TOKEN': env['CLOUDFLARE_API_TOKEN'],
- 'ZONEID': env['CLOUDFLARE_API_ZONEID'],
- },
- }
django_heroku.settings(locals())