Changed app for proxy and https++
This commit is contained in:
@@ -15,9 +15,8 @@ COPY reset_password.py .
|
|||||||
COPY templates/ templates/
|
COPY templates/ templates/
|
||||||
COPY static/ static/
|
COPY static/ static/
|
||||||
|
|
||||||
# Create data and session directories
|
# Create data directory
|
||||||
RUN mkdir -p /app/data /app/data/flask_sessions && \
|
RUN mkdir -p /app/data
|
||||||
chmod 777 /app/data/flask_sessions
|
|
||||||
|
|
||||||
# Copy entrypoint script and make scripts executable
|
# Copy entrypoint script and make scripts executable
|
||||||
COPY docker-entrypoint.sh .
|
COPY docker-entrypoint.sh .
|
||||||
|
|||||||
45
app.py
45
app.py
@@ -1,5 +1,4 @@
|
|||||||
from flask import Flask, render_template, request, jsonify, redirect, url_for, session
|
from flask import Flask, render_template, request, jsonify, redirect, url_for, session, make_response
|
||||||
from flask_session import Session
|
|
||||||
from functools import wraps
|
from functools import wraps
|
||||||
from werkzeug.middleware.proxy_fix import ProxyFix
|
from werkzeug.middleware.proxy_fix import ProxyFix
|
||||||
from datetime import timedelta
|
from datetime import timedelta
|
||||||
@@ -7,9 +6,10 @@ import malias_wrapper as malias_w
|
|||||||
import os
|
import os
|
||||||
import argparse
|
import argparse
|
||||||
import sys
|
import sys
|
||||||
|
import secrets
|
||||||
|
|
||||||
app = Flask(__name__)
|
app = Flask(__name__)
|
||||||
app.secret_key = os.getenv('SECRET_KEY', os.urandom(24).hex()) # Secret key for session management
|
app.secret_key = os.getenv('SECRET_KEY', 'malias-default-secret-key-please-change') # Consistent secret key
|
||||||
|
|
||||||
# Configure for reverse proxy (Authelia, Zoraxy, Nginx, etc.)
|
# Configure for reverse proxy (Authelia, Zoraxy, Nginx, etc.)
|
||||||
# This fixes HTTPS detection and redirects when behind a proxy
|
# This fixes HTTPS detection and redirects when behind a proxy
|
||||||
@@ -24,31 +24,20 @@ app.wsgi_app = ProxyFix(
|
|||||||
# Initialize database on startup
|
# Initialize database on startup
|
||||||
malias_w.init_database()
|
malias_w.init_database()
|
||||||
|
|
||||||
# Session configuration for reverse proxy
|
# Session configuration optimized for reverse proxy with Gunicorn
|
||||||
# Use server-side sessions stored in filesystem (works with multiple Gunicorn workers)
|
|
||||||
app.config.update(
|
app.config.update(
|
||||||
# Server-side session storage
|
PERMANENT_SESSION_LIFETIME=timedelta(hours=24),
|
||||||
SESSION_TYPE='filesystem', # Store sessions on disk (shared across workers)
|
SESSION_COOKIE_NAME='session', # Use standard name
|
||||||
SESSION_FILE_DIR='/app/data/flask_sessions', # Session storage directory
|
SESSION_COOKIE_SECURE=False, # Backend is HTTP
|
||||||
SESSION_PERMANENT=True, # Sessions persist
|
SESSION_COOKIE_HTTPONLY=True,
|
||||||
PERMANENT_SESSION_LIFETIME=timedelta(hours=24), # 24 hour sessions
|
SESSION_COOKIE_SAMESITE='Lax', # Lax works better than None for HTTP backend
|
||||||
|
SESSION_COOKIE_PATH='/',
|
||||||
# Session cookie settings
|
SESSION_COOKIE_DOMAIN=None, # Let browser auto-set domain
|
||||||
SESSION_COOKIE_NAME='malias_session', # Custom name to avoid conflicts
|
SESSION_REFRESH_EACH_REQUEST=False, # Don't modify session unnecessarily
|
||||||
SESSION_COOKIE_SECURE=False, # Must be False - backend connection is HTTP
|
PREFERRED_URL_SCHEME='https',
|
||||||
SESSION_COOKIE_HTTPONLY=True, # Security: prevent JavaScript access
|
APPLICATION_ROOT='/',
|
||||||
SESSION_COOKIE_SAMESITE='Lax', # Allow same-site requests (needed for redirects)
|
|
||||||
SESSION_COOKIE_PATH='/', # Available for entire application
|
|
||||||
SESSION_COOKIE_DOMAIN=None, # Let browser decide
|
|
||||||
|
|
||||||
# URL generation
|
|
||||||
PREFERRED_URL_SCHEME='https', # Generate HTTPS URLs when behind proxy
|
|
||||||
APPLICATION_ROOT='/', # Application root path
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# Initialize Flask-Session
|
|
||||||
Session(app)
|
|
||||||
|
|
||||||
def login_required(f):
|
def login_required(f):
|
||||||
"""Decorator to require login for routes"""
|
"""Decorator to require login for routes"""
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
@@ -64,13 +53,15 @@ def login():
|
|||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
password = request.json.get('password', '')
|
password = request.json.get('password', '')
|
||||||
if malias_w.verify_password(password):
|
if malias_w.verify_password(password):
|
||||||
session.permanent = True # Make session persistent
|
session.clear()
|
||||||
|
session.permanent = True
|
||||||
session['logged_in'] = True
|
session['logged_in'] = True
|
||||||
|
session['user_token'] = secrets.token_urlsafe(32)
|
||||||
|
session.modified = True
|
||||||
return jsonify({'status': 'success', 'message': 'Login successful'})
|
return jsonify({'status': 'success', 'message': 'Login successful'})
|
||||||
else:
|
else:
|
||||||
return jsonify({'status': 'error', 'message': 'Invalid password'})
|
return jsonify({'status': 'error', 'message': 'Invalid password'})
|
||||||
|
|
||||||
# Check if already logged in
|
|
||||||
if session.get('logged_in'):
|
if session.get('logged_in'):
|
||||||
return redirect(url_for('index'))
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
|
|||||||
@@ -38,4 +38,8 @@ services:
|
|||||||
- FLASK_PORT=5172
|
- FLASK_PORT=5172
|
||||||
|
|
||||||
# Host binding (default: 0.0.0.0 for Docker)
|
# Host binding (default: 0.0.0.0 for Docker)
|
||||||
- FLASK_HOST=0.0.0.0
|
- FLASK_HOST=0.0.0.0
|
||||||
|
|
||||||
|
# Secret key for sessions (generate unique key for production)
|
||||||
|
# Change this to a random string for better security
|
||||||
|
- SECRET_KEY=malias-production-secret-key-change-me
|
||||||
@@ -4,5 +4,3 @@ httpx==0.27.0
|
|||||||
rich==13.7.0
|
rich==13.7.0
|
||||||
bcrypt==4.1.2
|
bcrypt==4.1.2
|
||||||
gunicorn==21.2.0
|
gunicorn==21.2.0
|
||||||
Flask-Session==0.6.0
|
|
||||||
cachelib==0.10.2
|
|
||||||
|
|||||||
Reference in New Issue
Block a user