feat: add optional letsencrypt tls

This commit is contained in:
bisco
2026-06-24 11:06:33 +02:00
parent 1e3685bab8
commit 719cdce9c1
19 changed files with 561 additions and 62 deletions
+12 -7
View File
@@ -11,21 +11,26 @@
the application images run as non-root users.
- `.env` is ignored. `.env.example` contains replaceable development placeholders,
never production credentials. Use a deployment secret manager outside local use.
- `DJANGO_DEBUG` must be false and allowed hosts explicit outside development. Add TLS
at the edge before public exposure.
- `DJANGO_DEBUG` must be false and allowed hosts explicit outside development. Public
traffic must use either the optional direct TLS mode or TLS at a load balancer.
- Database and uploaded media backups may contain personal data. Restrict, encrypt,
retain, and delete them according to the operator's privacy policy.
- Avoid placing personal phone numbers or private contact details in logs. The API
legitimately exposes only contact details approved for publication.
- Dependency and image versions are explicit. Operators remain responsible for patch
upgrades, vulnerability scans, and production digest pinning.
- NGINX forwards the original host and standard client/protocol headers. The local
configuration is HTTP-only; production must add TLS and ensure application ports are
not externally reachable.
- NGINX forwards the original host and standard client/protocol headers. Django trusts
`X-Forwarded-Proto: https`; therefore direct proxy access must be limited to trusted
networks when a load balancer supplies that header. The NGINX mapping accepts only
the literal `https` value as secure.
- Optional Certbot uses a pinned image, a read-only root filesystem, no Docker socket,
and only the certificate/challenge volumes. NGINX reads private keys from the
certificate volume but cannot modify them. Restrict and back up that volume as
sensitive material.
- The Playwright image is pinned and enabled only through the test Compose profile. It
receives no credentials, publishes no host ports, and tests only the local portal.
The override uses a separate PostgreSQL volume so its seed cannot overwrite normal
CMS content.
Manual production hardening remains required for reverse proxy headers, TLS, media
storage, backup retention, monitoring, and admin network policy.
Manual production hardening remains required for proxy trust boundaries, media
storage, backup retention, monitoring, firewalling, and admin network policy.