Merge pull request #324 from hpi-sam/267-making-the-server-more-secure

267 make server more secure

.env.dev

@@ -15,5 +15,3 @@ CHANNEL_REDIS=True
 POSTGRES_DB=dps
 POSTGRES_USER=dps
 POSTGRES_PASSWORD=dps
-
-FRONTEND_URL=localhost

.env.prod

@@ -15,5 +15,3 @@ CHANNEL_REDIS=True
 POSTGRES_DB=dps
 POSTGRES_USER=dps
 POSTGRES_PASSWORD=ozuCk0rrF6nzkzcR1TQMR93m3iYUzMBG
-
-FRONTEND_URL=klinik-dps.de

.github/workflows/ci-tests.yml

@@ -88,7 +88,7 @@ jobs:
 
       - name: Run docker containers with deploy dev configuration
         run: |
-          docker-compose --env-file .env.dev up -d
+          docker-compose -f docker-compose.dev.yml up -d
 
       - name: Run integration tests
         run: |

.github/workflows/deploy.yml

@@ -48,9 +48,10 @@ jobs:
       - name: Prepare deployment files
         run: |
           mkdir deployment_files
-          cp docker-compose.yml deployment_files/
+          cp docker-compose.prod.yml deployment_files/docker-compose.yml
           cp ./.env.prod deployment_files/
           cp ./.env.dev deployment_files/
+          cp backend/dps_training_k/deployment/nginx/nginx_deploy_prod.conf deployment_files/nginx.conf
 
       - name: Archive deployment files
         uses: actions/upload-artifact@v2

README.md

@@ -24,7 +24,8 @@ Replace `<prod/dev>` with `prod` or `dev` in the following commands to use the r
    /docker-compose.yml, ./.env.<prod/dev>).
 2. Recommended: As the env files are probably stored in a public repository, it is strongly encouraged to change the SECRET_KEY and the 
    POSTGRES_PASSWORD variables in the used `.env.<prod/dev>` file.
-3. Log into the GitHub Packages registry with the following command. Ask a team member for valid credentials.
+3. Log into the GitHub Packages registry with the following command. Ask a team member for valid credentials. Note: passing secrets as 
+   command line arguments is insecure. consider using `--password-stdin` instead
 ```bash
 docker login ghcr.io -u <username> -p <token>
 ```
@@ -43,8 +44,8 @@ The application is now deployed and the website should be accessible on port 517
 the containers restarted accordingly.
 
 Keep in mind that the IP address of the server running the back- and frontend are hardcoded in the environment files. For 
-the backend a simple correction of the `FRONTEND_URL` variable within the `.env.<prod/dev>` file on the server is enough, but fot the frontend the 
-`SERVER_URL` variable (and `VITE_SERVER_URL` variable for building without docker) has to be adjusted in the associated env file and the image has 
+the backend a simple correction of the `CORS_ALLOWED_ORIGINS` variable within the `backend/dps_training_k/configuration/settings.py` file on the 
+server is enough, but for the frontend the `VITE_SERVER_URL` variable has to be adjusted in the associated env file and the image has 
 to be rebuilt and re-uploaded to the GitHub Packages registry.
 
 ## Changing the project configuration

backend/dps_training_k/.env.dev

@@ -13,5 +13,3 @@ CHANNEL_REDIS=True
 POSTGRES_DB=dps
 POSTGRES_USER=dps
 POSTGRES_PASSWORD=dps
-
-FRONTEND_URL=localhost

backend/dps_training_k/.env.prod

@@ -13,5 +13,3 @@ CHANNEL_REDIS=True
 POSTGRES_DB=dps
 POSTGRES_USER=dps
 POSTGRES_PASSWORD=ozuCk0rrF6nzkzcR1TQMR93m3iYUzMBG
-
-FRONTEND_URL=localhost

backend/dps_training_k/configuration/settings.py

@@ -32,7 +32,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = env.bool("DEBUG")
 CORS_ORIGIN_ALLOW_ALL = DEBUG
-CORS_ALLOWED_ORIGINS = ["http://" + env.str("FRONTEND_URL") + ":5173"]
+CORS_ALLOWED_ORIGINS = ["https://klinik-dps.de", "https://www.klinik-dps.de", "http://localhost"]
 RUN_CONFIG = env.str("RUN_CONFIG", default="dev")
 
 CSRF_TRUSTED_ORIGINS = ["http://localhost:8000"]
@@ -50,7 +50,6 @@
     "django.contrib.contenttypes",
     "django.contrib.sessions",
     "django.contrib.messages",
-    "django.contrib.staticfiles",
     "corsheaders",
     "game.apps.GameConfig",
     "helpers.apps.GameConfig",
@@ -134,12 +133,6 @@
 
 USE_TZ = True
 
-
-# Static files (CSS, JavaScript, Images)
-# https://docs.djangoproject.com/en/5.0/howto/static-files/
-
-STATIC_URL = "static/"
-
 # Default primary key field type
 # https://docs.djangoproject.com/en/5.0/ref/settings/#default-auto-field
 
@@ -163,8 +156,6 @@
 
 AUTH_USER_MODEL = "game.User"
 
-STATIC_ROOT = os.path.join(BASE_DIR, "staticfiles")
-
 # Celery
 # ------------------------------------------------------------------------------
 # See: http://docs.celeryproject.org/en/latest/userguide/configuration.html

backend/dps_training_k/deployment/django/entrypoint

@@ -7,7 +7,6 @@ if [ "${RUN_MIGRATIONS:-0}" = "1" ]; then
 
     python manage.py makemigrations
     python manage.py migrate
-    python manage.py collectstatic --noinput
     python manage.py import_actions
     python manage.py import_patient_information
     python manage.py loaddata patient_states.json

backend/dps_training_k/deployment/nginx/Dockerfile

@@ -1,4 +1,3 @@
 FROM nginx:latest
 
-RUN rm /etc/nginx/conf.d/default.conf
-COPY nginx.conf /etc/nginx/conf.d
+RUN rm /etc/nginx/conf.d/default.conf

backend/dps_training_k/deployment/nginx/nginx.conf

@@ -1,27 +1,22 @@
-upstream configuration {
-    server django:8000;
-}
-
 server {
-
     listen 80;
 
-    location / {
-        proxy_pass http://configuration;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    location /api {
+        proxy_pass http://django:8000/api;
         proxy_set_header Host $host;
-        proxy_redirect off;
-    }
-
-
-    location /static/ {
-        alias /app/staticfiles/;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    location /media/ {
-        alias /app/mediafiles/;
+    location /ws {
+        proxy_pass http://django:8000/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
-
 }

backend/dps_training_k/deployment/nginx/nginx_deploy_dev.conf

@@ -0,0 +1,30 @@
+server {
+    listen 80;
+
+    location / {
+        proxy_pass http://frontend:5173;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /api {
+        proxy_pass http://django:8000/api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /ws {
+        proxy_pass http://django:8000/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

backend/dps_training_k/deployment/nginx/nginx_deploy_prod.conf

@@ -0,0 +1,39 @@
+server {
+    listen 80;
+    server_name klinik-dps.de www.klinik-dps.de;
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    server_name klinik-dps.de www.klinik-dps.de;
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    location / {
+        proxy_pass http://frontend:5173;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api {
+        proxy_pass http://django:8000/api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /ws {
+        proxy_pass http://django:8000/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

backend/dps_training_k/docker-compose.yml

@@ -42,8 +42,8 @@ services:
     volumes:
       - static_volume:/app/staticfiles
       - .:/app:z
-    expose:
-      - 8000
+    ports:
+      - 8000:8000
     command: uvicorn configuration.asgi:application --host 0.0.0.0 --reload
     stdin_open: true
     tty: true
@@ -82,8 +82,9 @@ services:
     container_name: K-dPS-nginx
     volumes:
       - static_volume:/app/staticfiles
+      - ./deployment/nginx/nginx.conf:/etc/nginx/conf.d/nginx.conf
     ports:
-      - "8000:80"
+      - "80:80"
     depends_on:
       - django
 

backend/dps_training_k/game/urls.py

@@ -2,6 +2,6 @@
 from django.urls import path
 
 urlpatterns = [
-    path("patient/access", PatientAccessView.as_view(), name="patient-access"),
-    path("trainer/login", TrainerLoginView.as_view(), name="trainer-login")
+    path("api/patient/access", PatientAccessView.as_view(), name="patient-access"),
+    path("api/trainer/login", TrainerLoginView.as_view(), name="trainer-login")
 ]

backend/dps_training_k/template/management/commands/import_patient_information.py

@@ -62,22 +62,25 @@ def import_patients(file_path):
 
             patient_information, _ = PatientInformation.objects.update_or_create(
                 code=row["Pat-Nr."].strip(),
-                personal_details=row["Personalien"].strip(),
-                blood_type=row["Blutgruppe"].strip(),
-                injury=row["Verletzungen"].strip(),
-                biometrics=biometrics,
-                triage=triage,
-                consecutive_unique_number=consecutiveUniqueNumber,
-                mobility=row["Mobilität"].strip(),
-                preexisting_illnesses=row["Vorerkrankungen"].strip(),
-                permanent_medication=row["Dauer-Medikation"].strip(),
-                current_case_history=row[
-                    "Aktuelle Anamnese / Rettungsdienst-Übergabe"
-                ].strip(),
-                pretreatment=row["Vorbehandlung"].strip(),
-                start_status=row["Start-Status"].strip(),
-                start_location=row["Start-Ort"].strip(),
-                op=row["OP / Interventions-Verlauf"].strip(),
+                defaults={
+                    "personal_details": row["Personalien"].strip(),
+                    "blood_type": row["Blutgruppe"].strip(),
+                    "injury": row["Verletzungen"].strip(),
+                    "biometrics": biometrics,
+                    "triage": triage,
+                    "consecutive_unique_number": consecutiveUniqueNumber,
+                    "mobility": row["Mobilität"].strip(),
+                    "preexisting_illnesses": row["Vorerkrankungen"].strip(),
+                    "permanent_medication": row["Dauer-Medikation"].strip(),
+                    "current_case_history": row[
+                        "Aktuelle Anamnese / Rettungsdienst-Übergabe"
+                    ].strip(),
+                    "pretreatment": row["Vorbehandlung"].strip(),
+                    "pretreatment_action_templates": {},
+                    "start_status": row["Start-Status"].strip(),
+                    "start_location": row["Start-Ort"].strip(),
+                    "op": row["OP / Interventions-Verlauf"].strip(),
+                }
             )
             pretreatments_list = [
                 pt.strip() for pt in patient_information.pretreatment.split(",")