Make Rophako support SSL

8 years ago · b58563b0d1
7 changed files with 73 additions and 8 deletions
--- a/config-sample.py
+++ b/config-sample.py
@ -22,6 +22,10 @@ SITE_ROOT = os.path.join(_basedir, "site", "www")
 # E-mail addresses for site notifications (i.e. new comments).
 NOTIFY_ADDRESS = ["root@localhost"]

+# Set this to true if you want your app to force use of SSL. This will also turn
+# on Flask's secure-only session cookies.
+FORCE_SSL = False
+
 # Secret key used for session cookie signing. Make this long and hard to guess.
 #
 # Tips for creating a strong secret key:
@ -111,4 +115,4 @@ COMMENT_TIME_FORMAT = "%A, %B %d %Y @ %I:%M %p"

 # We use Gravatar for comments if the user provides an e-mail address. Specify
 # the URL to a fallback image to use in case they don't have a gravatar.
-COMMENT_DEFAULT_AVATAR = ""
+COMMENT_DEFAULT_AVATAR = ""
--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,5 @@
 flask
+flask-sslify
 redis
 bcrypt
 pillow
--- a/rophako/init.py
+++ b/rophako/init.py
@ -1,6 +1,7 @@
 __version__ = '0.01'

 from flask import Flask, g, request, session, render_template, send_file, abort
+from flask_sslify import SSLify
 import jinja2
 import os.path
 import time
@ -14,6 +15,11 @@ app = Flask(__name__,
 app.DEBUG      = config.DEBUG
 app.secret_key = config.SECRET_KEY

+# Security?
+if config.FORCE_SSL:
+    app.SESSION_COOKIE_SECURE = True
+    sslify = SSLify(app)
+
 # Load all the blueprints!
 from rophako.modules.admin import mod as AdminModule
 from rophako.modules.account import mod as AccountModule
@ -134,4 +140,4 @@ def not_found(error):

 # Domain specific endpoints.
 if config.SITE_NAME == "kirsle.net":
-    import rophako.modules.kirsle_legacy
+    import rophako.modules.kirsle_legacy
--- a/rophako/model/comment.py
+++ b/rophako/model/comment.py
@ -226,7 +226,7 @@ def gravatar(email):
        }
        if default:
            params["d"] = default
-        url = "http://www.gravatar.com/avatar/" + hashlib.md5(email.lower()).hexdigest() + "?"
+        url = "//www.gravatar.com/avatar/" + hashlib.md5(email.lower()).hexdigest() + "?"
        url += urllib.urlencode(params)
        return url
-    return ""
+    return ""
--- a/rophako/modules/kirsle_legacy.py
+++ b/rophako/modules/kirsle_legacy.py
@ -7,7 +7,7 @@ import re
 import os

 from rophako import app
-from rophako.utils import template
+from rophako.utils import template, login_required
 import rophako.model.blog as Blog
 import rophako.jsondb as JsonDB

@ -95,3 +95,14 @@ def legacy_download():
@app.route("/<page>.html")
 def legacy_url(page):
    return redirect("/{}".format(page), code=301)
+
+@app.route("/ssl_test")
+@login_required
+def ssl_test():
+    criteria = [
+        request.is_secure,
+        app.debug,
+        request.headers.get("X-Forwarded-Proto", "http") == "https"
+    ]
+
+    return str(criteria)
--- a/rophako/www/comment/index.inc.html
+++ b/rophako/www/comment/index.inc.html
@ -9,7 +9,7 @@ There {% if comments|length == 1 %}is{% else %}are{% endif %}
 {% for comment in comments %}
    <div class="comment">
        <div class="comment-author">
-            {% if comment["image"] and (comment["image"].startswith('http:') or comment["image"].startswith('https:')) %}
+            {% if comment["image"] and (comment["image"].startswith('http:') or comment["image"].startswith('https:') or comment["image"].startswith('//')) %}
                <img src="{{ comment['image'] }}" alt="Avatar" width="96" height="96">
            {% elif comment["image"] %}
                <img src="{{ photo_url }}/{{ comment['image'] }}" alt="Avatar" width="96" height="96">
@ -87,4 +87,4 @@ There {% if comments|length == 1 %}is{% else %}are{% endif %}
 </div>

 <button type="submit">Leave Comment</button>
-</form>
+</form>
--- a/runserver.py
+++ b/runserver.py
@ -1,4 +1,47 @@
 #!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+import sys
+import argparse

 from rophako import app
-app.run(host='0.0.0.0', debug=True, port=2006)
+
+parser = argparse.ArgumentParser(description="Rophako")
+parser.add_argument(
+    "--port", "-p",
+    type=int,
+    help="Port to listen on",
+    default=2006,
+)
+parser.add_argument(
+    "--key", "-k",
+    type=str,
+    help="SSL private key file. Providing this option will turn on SSL mode " \
+        + "(and will require pyOpenSSL to be installed).",
+)
+parser.add_argument(
+    "--cert", "-c",
+    type=str,
+    help="SSL certificate file.",
+)
+args = parser.parse_args()
+
+if __name__ == '__main__':
+    flask_options = dict(
+        host='0.0.0.0',
+        debug=True,
+        port=args.port,
+        threaded=True,
+    )
+
+    if args.key and args.cert:
+        from OpenSSL import SSL
+        context = SSL.Context(SSL.SSLv23_METHOD)
+        context.use_privatekey_file(args.key)
+        context.use_certificate_file(args.cert)
+        app.config['SESSION_COOKIE_SECURE'] = True
+        flask_options["ssl_context"] = context
+
+    app.run(**flask_options)
+