From 2a1918b47ccb060c2ce0e1d11a0397c89d87bd2f Mon Sep 17 00:00:00 2001 From: AmirAli Angha Date: Wed, 8 Jul 2026 02:11:32 +0330 Subject: [PATCH] Prepare accounting backend for production behind nginx and CDN proxy. Add reverse-proxy settings, stricter CORS origin parsing, and production env defaults for acc.zoneco.org and the admin panel. --- .env.example | 8 +++++++- config/settings.py | 48 ++++++++++++++++++++++++++++++++++++++-------- docker-compose.yml | 4 ++-- 3 files changed, 49 insertions(+), 11 deletions(-) diff --git a/.env.example b/.env.example index 5be53fb..2dbaa61 100644 --- a/.env.example +++ b/.env.example @@ -9,8 +9,14 @@ ALLOWED_HOSTS=localhost,127.0.0.1,0.0.0.0,testserver # DATABASE_URL=postgresql://postgres:postgres@localhost:5432/funzone_accounting # CORS (the accounting frontend dev server runs on port 5176) +# Production: set CORS_ALLOW_ALL_ORIGINS=False and include https://admin.zoneco.org CORS_ALLOW_ALL_ORIGINS=True -CORS_ALLOWED_ORIGINS=http://localhost:5176,http://127.0.0.1:5176,http://localhost:3006,http://127.0.0.1:3006 +CORS_ALLOWED_ORIGINS=http://localhost:5176,http://127.0.0.1:5176,http://localhost:3006,http://127.0.0.1:3006,https://admin.zoneco.org + +# Production (behind nginx / CDN) +# ALLOWED_HOSTS=acc.zoneco.org,localhost,127.0.0.1,accounting-backend +# USE_X_FORWARDED_HOST=True +# SECURE_PROXY_SSL_HEADER=True # Docker: persist SQLite in a named volume # SQLITE_PATH=/data/db.sqlite3 diff --git a/config/settings.py b/config/settings.py index 0a550cd..2111097 100644 --- a/config/settings.py +++ b/config/settings.py @@ -18,10 +18,19 @@ SECRET_KEY = config('SECRET_KEY', default='your-super-secret-key-change-in-produ DEBUG = config('DEBUG', default=True, cast=bool) -ALLOWED_HOSTS = config( - 'ALLOWED_HOSTS', - default='localhost,127.0.0.1,0.0.0.0,testserver', -).split(',') +ALLOWED_HOSTS = [ + host.strip() + for host in config( + 'ALLOWED_HOSTS', + default='localhost,127.0.0.1,0.0.0.0,testserver', + ).split(',') + if host.strip() +] + +# Behind nginx / CDN reverse proxy +USE_X_FORWARDED_HOST = config('USE_X_FORWARDED_HOST', default=False, cast=bool) +if config('SECURE_PROXY_SSL_HEADER', default=False, cast=bool): + SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') INSTALLED_APPS = [ 'django.contrib.auth', @@ -120,7 +129,30 @@ SIMPLE_JWT = { # CORS: allow the accounting frontend (and others) in development. CORS_ALLOW_ALL_ORIGINS = config('CORS_ALLOW_ALL_ORIGINS', default=True, cast=bool) CORS_ALLOW_CREDENTIALS = True -CORS_ALLOWED_ORIGINS = config( - 'CORS_ALLOWED_ORIGINS', - default='http://localhost:5176,http://127.0.0.1:5176', -).split(',') +CORS_ALLOWED_ORIGINS = [ + origin.strip() + for origin in config( + 'CORS_ALLOWED_ORIGINS', + default='http://localhost:5176,http://127.0.0.1:5176', + ).split(',') + if origin.strip() +] +CORS_ALLOW_HEADERS = [ + 'accept', + 'accept-encoding', + 'authorization', + 'content-type', + 'dnt', + 'origin', + 'user-agent', + 'x-csrftoken', + 'x-requested-with', +] +CORS_ALLOW_METHODS = [ + 'DELETE', + 'GET', + 'OPTIONS', + 'PATCH', + 'POST', + 'PUT', +] diff --git a/docker-compose.yml b/docker-compose.yml index 32eb950..3623bea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,9 +9,9 @@ services: environment: SECRET_KEY: ${SECRET_KEY:-your-super-secret-key-change-in-production} DEBUG: ${DEBUG:-False} - ALLOWED_HOSTS: ${ALLOWED_HOSTS:-localhost,127.0.0.1,accounting-backend} + ALLOWED_HOSTS: ${ALLOWED_HOSTS:-localhost,127.0.0.1,accounting-backend,acc.zoneco.org} CORS_ALLOW_ALL_ORIGINS: ${CORS_ALLOW_ALL_ORIGINS:-True} - CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:-http://localhost:3006,http://localhost:5176,http://127.0.0.1:3006,http://127.0.0.1:5176} + CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:-http://localhost:3006,http://localhost:5176,http://127.0.0.1:3006,http://127.0.0.1:5176,https://admin.zoneco.org} SQLITE_PATH: /data/db.sqlite3 DATABASE_URL: ${DATABASE_URL:-} DB_HOST: accounting-db