Усилен security baseline и вычищены мёртвые настройки

Author: Toksi86

deploy/nginx/host/dev/dev.procollab.ru

@@ -1,6 +1,7 @@
 server {
     listen 80;
     server_name dev.procollab.ru;
+    server_tokens off;
 
     location ^~ /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -16,6 +17,7 @@ server {
 server {
     listen 443 ssl;
     server_name dev.procollab.ru;
+    server_tokens off;
 
     ssl_certificate     /etc/letsencrypt/live/dev.procollab.ru-0001/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/dev.procollab.ru-0001/privkey.pem;

nginx/nginx.conf

@@ -4,6 +4,7 @@ server {
 
     server_name api.procollab.ru;
     client_max_body_size 100M;
+    server_tokens off;
 
     location / {
         proxy_pass http://web:8000;

poetry.lock

@@ -4,9 +4,7 @@
 from datetime import timedelta
 from pathlib import Path
 
-import sentry_sdk
 from decouple import config
-from sentry_sdk.integrations.django import DjangoIntegration
 
 mimetypes.add_type("application/javascript", ".js", True)
 mimetypes.add_type("text/css", ".css", True)
@@ -18,8 +16,6 @@
 
 DEBUG = config("DEBUG", default=False, cast=bool)
 
-SENTRY_DSN = config("SENTRY_DSN", default="", cast=str)
-
 AUTOPOSTING_ON = config("AUTOPOSTING_ON", default=False, cast=bool)
 
 TELEGRAM_BOT_TOKEN = config("TELEGRAM_BOT_TOKEN", default="", cast=str)
@@ -36,7 +32,6 @@
     "https://www.procollab.ru",
     "https://app.procollab.ru",
     "https://dev.procollab.ru",
-    "https://www.procollab.ru",
 ]
 
 ALLOWED_HOSTS = [
@@ -48,7 +43,6 @@
     "app.procollab.ru",
     "dev.procollab.ru",
     "procollab.ru",
-    "dev.procollab.ru",
     "web",  # From Docker
 ]
 
@@ -61,16 +55,6 @@
     "django.contrib.auth.hashers.ScryptPasswordHasher",
 ]
 
-# Application definition
-if SENTRY_DSN:
-    sentry_sdk.init(
-        dsn=SENTRY_DSN,
-        integrations=[DjangoIntegration()],
-        release="dev" if DEBUG else "prod",
-        traces_sample_rate=1.0,
-        send_default_pii=True,
-    )
-
 INSTALLED_APPS = [
     # daphne is required for channels, should be installed before django.contrib.static
     "daphne",
@@ -81,7 +65,6 @@
     "django.contrib.sessions",
     "django.contrib.messages",
     "django.contrib.staticfiles",
-    "debug_toolbar",
     # My apps
     "core.apps.CoreConfig",
     "industries.apps.IndustriesConfig",
@@ -125,7 +108,6 @@
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "debug_toolbar.middleware.DebugToolbarMiddleware",
     "core.log.middleware.CustomLoguruMiddleware",
 ]
 
@@ -145,6 +127,9 @@
 
 ROOT_URLCONF = "procollab.urls"
 
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_SSL_REDIRECT = not DEBUG
+
 TEMPLATES = [
     {
         "BACKEND": "django.template.backends.django.DjangoTemplates",
@@ -184,24 +169,15 @@
 RUNNING_TESTS = "test" in sys.argv
 
 if DEBUG:
+    INSTALLED_APPS.append("debug_toolbar")
+    MIDDLEWARE.insert(-1, "debug_toolbar.middleware.DebugToolbarMiddleware")
     DATABASES = {
         "default": {
             "ENGINE": "django.db.backends.sqlite3",
             "NAME": "db.sqlite3",
         }
     }
 
-    # DATABASES = {
-    #     "default": {
-    #         "ENGINE": "django.db.backends.postgresql",
-    #         "NAME": config("DATABASE_NAME", default="postgres", cast=str),
-    #         "USER": config("DATABASE_USER", default="postgres", cast=str),
-    #         "PASSWORD": config("DATABASE_PASSWORD", default="postgres", cast=str),
-    #         "HOST": config("DATABASE_HOST", default="db", cast=str),
-    #         "PORT": config("DATABASE_PORT", default="5432", cast=str),
-    #     }
-    # }
-
     if RUNNING_TESTS:
         CACHES = {
             "default": {
@@ -244,8 +220,6 @@
         "rest_framework.renderers.JSONRenderer",
     ]
 
-    DB_SERVICE = config("DB_SERVICE", default="postgres", cast=str)
-
     DATABASES = {
         "default": {
             "ENGINE": "django.db.backends.postgresql",
@@ -333,7 +307,8 @@
 if DEBUG:
     SIMPLE_JWT["ACCESS_TOKEN_LIFETIME"] = timedelta(weeks=2)
 
-SESSION_COOKIE_SECURE = False
+SESSION_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SECURE = not DEBUG
 
 EMAIL_BACKEND = "anymail.backends.unisender_go.EmailBackend"
 
@@ -348,19 +323,8 @@
     },
 }
 
-EMAIL_USE_TLS = True
-
-EMAIL_PORT = config("EMAIL_PORT", default=587, cast=int)
 EMAIL_USER = config("EMAIL_USER", cast=str, default="example@mail.ru")
 
-# EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
-# EMAIL_USE_TLS = True
-# EMAIL_HOST = config("EMAIL_HOST", default="smtp.gmail.com", cast=str)
-# EMAIL_PORT = config("EMAIL_PORT", default=587, cast=int)
-# EMAIL_HOST_USER = config("EMAIL_USER", cast=str, default="example@mail.ru")
-# EMAIL_USER = EMAIL_HOST_USER
-# EMAIL_HOST_PASSWORD = config("EMAIL_PASSWORD", cast=str, default="password")
-
 SELECTEL_ACCOUNT_ID = config("SELECTEL_ACCOUNT_ID", cast=str, default="123456")
 SELECTEL_CONTAINER_NAME = config(
     "SELECTEL_CONTAINER_NAME", cast=str, default="procollab_media"
@@ -387,26 +351,6 @@
 if DEBUG:
     SELECTEL_SWIFT_URL += "debug/"
 
-PROMETHEUS_LATENCY_BUCKETS = (
-    0.01,
-    0.025,
-    0.05,
-    0.075,
-    0.1,
-    0.25,
-    0.5,
-    0.75,
-    1.0,
-    2.5,
-    5.0,
-    7.5,
-    10.0,
-    25.0,
-    50.0,
-    75.0,
-    float("inf"),
-)
-
 DATA_UPLOAD_MAX_NUMBER_FIELDS = None  # for mailing
 
 

procollab/settings.py

@@ -4,21 +4,27 @@
 from django.urls import include, path, re_path
 from drf_yasg import openapi
 from drf_yasg.views import get_schema_view
+from rest_framework import authentication, permissions
 from rest_framework_simplejwt.views import (
     TokenObtainPairView,
     TokenRefreshView,
     TokenVerifyView,
 )
-from core.permissions import IsStaffOrReadOnly
+from users.authentication import ActivityTrackingJWTAuthentication
 
 schema_view = get_schema_view(
     openapi.Info(
         title="ProCollab API",
         default_version="v1",
         description="API for ProCollab",
     ),
-    public=True,
-    permission_classes=[IsStaffOrReadOnly],
+    public=False,
+    authentication_classes=[
+        authentication.SessionAuthentication,
+        authentication.BasicAuthentication,
+        ActivityTrackingJWTAuthentication,
+    ],
+    permission_classes=[permissions.IsAdminUser],
 )
 
 urlpatterns = [

procollab/urls.py

@@ -46,7 +46,6 @@ django-rest-passwordreset = "^1.3.0"
 django-filter = "^22.1"
 setuptools = "^65.5.0"
 drf-yasg = "^1.21.4"
-sentry-sdk = "^1.10.1"
 whitenoise = "^6.2.0"
 six = "^1.16.0"
 aiohttp = "^3.8.3"