Fix HTTPS (#32)

Author: alexlambson

docker-compose.prod.yml

@@ -33,10 +33,13 @@ services:
     image: nginx:latest
     volumes:
       - ./docker/nginx.prod.conf:/etc/nginx/nginx.conf:ro
+      - ${SSL_CERT_PATH}:/etc/nginx/ssl/certs/fullchain.pem:ro
+      - ${SSL_KEY_PATH}:/etc/nginx/ssl/certs/privkey.pem:ro
       - ${HOST_STATIC_ROOT}:/usr/share/nginx/html/static  # website static assets.
       - ${HOST_MEDIA_ROOT}:/usr/share/nginx/html/silo  # website user-uploaded files.
     ports:
-      - "${EXPOSED_PORT}:80"
+      - "${EXPOSED_PORT:-80}:80"
+      - "${EXPOSED_SSL_PORT:-443}:443"
     depends_on:
       - django
     networks:

docker/nginx.prod.conf

@@ -1,18 +1,42 @@
 user nginx;
-worker_processes 4;
+worker_processes auto;
 error_log  /var/log/nginx/error.log warn;
 pid /var/run/nginx.pid;
 
 events {
     worker_connections 1024;
 }
 
+
 http {
+    upstream django_app {
+        server django:8000;  # The Django app is exposed on the `django` container on port 8000
+    }
+
+    # REDIRECT HTTP -> HTTPS
     server {
         listen 80 deferred;
         client_max_body_size 128M;
         server_name cncnet.org mapdb2.cncnet.org;
-        
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # HTTPS
+    ssl_session_cache shared:SSL:5m;
+    ssl_session_timeout 5m;
+    server {
+        listen 443 ssl;
+        client_max_body_size 128M;
+        server_name cncnet.org mapdb2.cncnet.org;
+
+        ssl_certificate /etc/nginx/ssl/certs/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/certs/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+
         # Serve static files: js, static images, etc.
         location /static/ {
             alias /usr/share/nginx/html/static/;  # The nginx container's mounted volume.
@@ -29,7 +53,7 @@ http {
 
         # Proxy requests to the Django app running in gunicorn
         location / {
-            proxy_pass http://django:8000;  # The Django app is exposed on the `django` container on port 8000
+            proxy_pass http://django_app;
             proxy_set_header Host $http_host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

example.env

@@ -48,3 +48,9 @@ TESTING_API_PASSWORD=
 
 # Options are in `kirovy.constants.RunEnvironment`
 RUN_ENVIRONMENT=
+
+# The port for https connections
+# Not necessary for local dev
+EXPOSED_SSL_PORT=443
+SSL_CERT_PATH=
+SSL_KEY_PATH=