forked from sean-/flask-skeleton
-
Notifications
You must be signed in to change notification settings - Fork 0
/
default_settings.py
155 lines (130 loc) · 6.59 KB
/
default_settings.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# Global configuration
BROWSER_SECRET_KEY = ''
# Flask-Cache settings
CACHE_TYPE = 'memcached'
CACHE_MEMCACHED_SERVERS = ['127.0.0.1:11211']
# When behind a load balancer, set CANONICAL_NAME to the value contained in
# Host headers (e.g. 'www.example.org')
CANONICAL_NAME = '127.0.0.1'
# When behind a load balancer, set CANONICAL_PORT to the value contained in
# Host headers (normally it will be '80' in production)
CANONICAL_PORT = '5000'
DATABASE_URI_FMT = 'postgresql+psycopg2://{username}:{password}@{hostname}:{port}/{dbname}'
DB_HOST = '127.0.0.1'
DB_NAME = 'skeleton'
# Setup a password database. Generate a random pass via:
# import M2Crypto
# M2Crypto.m2.rand_bytes(24).encode('base64').rstrip()
DB_PASS = ''
DB_PORT = '5432'
DB_SCHEMA = 'skeleton_schema'
DB_ADMIN = 'skeleton_dba'
DB_USER = 'skeleton_www'
DEBUG = False
DEBUG_TOOLBAR = False
LISTEN_HOST = '127.0.0.1'
PASSWORD_HASH = ''
SECRET_KEY = ''
SESSION_BYTES = 25
SESSION_COOKIE_NAME = 'skeleton_session'
SSL_CERT_FILENAME = ''
SSL_PRIVATE_KEY_FILENAME = ''
TESTING = False
USE_SSL = True
# Logs SQL queries to stderr
SQLALCHEMY_ECHO = False
# If users want to pass specific werkzeug options
WERKZEUG_OPTS = {'host': LISTEN_HOST, 'port' : 5000}
# Import user-provided values
try:
from local_settings import *
except ImportError:
pass
# Add a small amount of anti-footshooting and check to make sure a browser
# key is set.
if len(BROWSER_SECRET_KEY) < 16:
# Generate a a good key
import M2Crypto, os, re
randpw = re.sub(os.linesep, '', M2Crypto.m2.rand_bytes(24).encode('base64').rstrip())
print "Generating a random password for BROWSER_SECRET_KEY. Copy/paste the following commands to setup a random non-fail password."
print '\n\techo "BROWSER_SECRET_KEY = \'%s\'" >> local_settings.py\n' % randpw
raise ValueError('BROWSER_SECRET_KEY needs to be set and longer than 8 characters (len(BROWSER_SECRET_KEY) >= 16 recommended)!')
# Add a small amount of anti-footshooting and check to make sure a password
# is set. Idiots use passwords less than 16char. Just sayin'.
if len(DB_PASS) < 8:
# Generate a 29char random password. Good enough.
import M2Crypto, os, re
randpw = re.sub(os.linesep, '', M2Crypto.m2.rand_bytes(24).encode('base64').rstrip())
print "Generating a random password for DB_PASS. Copy/paste the following commands to setup a random non-fail password."
print '\n\techo "DB_PASS = \'%s\'" >> local_settings.py\n' % randpw
raise ValueError('DB_PASS needs to be set and longer than 8 characters (len(DB_PASS) >= 16 recommended)!')
# Add a small amount of anti-footshooting and check to make sure a password
# hash is set of modest strength.
if len(PASSWORD_HASH) < 32:
# Generate a decently long random secret.
import M2Crypto, os, re
randsec = re.sub(os.linesep, '', M2Crypto.m2.rand_bytes(256).encode('base64').rstrip())
print "Generating a random secret for PASSWORD_HASH. Copy/paste the following commands to setup a random non-fail secret.\n"
print '\techo "PASSWORD_HASH = \'%s\'.decode(\'base64\')" >> local_settings.py\n' % randsec
print "DO NOT LOOSE PASSWORD_HASH! If you loose PASSWORD_HASH no users will be able to log in and every user will have to reset their password!!!\n"
raise ValueError('PASSWORD_HASH needs to be set and longer than 32 characters (len(PASSWORD_HASH) >= 32 recommended)!')
# Add a small amount of anti-footshooting and check to make sure a secret key
# is set of modest strength.
if len(SECRET_KEY) < 32:
# Generate a decently long random secret.
import M2Crypto, os, re
randsec = re.sub(os.linesep, '', M2Crypto.m2.rand_bytes(256).encode('base64').rstrip())
print "Generating a random secret for SECRET_KEY. Copy/paste the following commands to setup a random non-fail secret.\n"
print '\techo "SECRET_KEY = \'%s\'.decode(\'base64\')" >> local_settings.py\n' % randsec
raise ValueError('SECRET_KEY needs to be set and longer than 32 characters (len(SECRET_KEY) >= 64 recommended)!')
# If we're running in SSL mode, check for the files or give users a hint on
# how to generate the keys.
if USE_SSL:
import os
key_file = SSL_PRIVATE_KEY_FILENAME if SSL_PRIVATE_KEY_FILENAME else 'ssl.key'
cert_file = SSL_CERT_FILENAME if SSL_CERT_FILENAME else 'ssl.cert'
if not os.access(key_file, os.R_OK) and not os.access(cert_file, os.R_OK):
print "HINT: To generate a key and cert without it prompting for information (spaces are escaped with a \\):\n"
print "\topenssl req -x509 -nodes -days 365 -subj '/C=US/ST=MyState/L=MyCity/CN=127.0.0.1/O=MyCompany\ Inc/OU=MyOU/[email protected]' -newkey rsa:1024 -keyout %s -out %s\n" % (key_file, cert_file)
raise ValueError('SSL_PRIVATE_KEY_FILENAME file missing (possibly needs to be generated?)')
else:
if not os.access(key_file, os.R_OK):
print "HINT: To generate a private key:\n"
print "\topenssl genrsa 1024 > %s\n" % key_file
raise ValueError('SSL_PRIVATE_KEY_FILENAME file missing (possibly needs to be generated?)')
if not os.access(cert_file, os.R_OK):
print "HINT: To generate a private key:\n"
print "\topenssl req -new -x509 -nodes -sha1 -days 365 -key %s > %s\n" % (key_file, cert_file)
raise ValueError('SSL_CERT_FILENAME file missing (possibly needs to be generated?)')
from OpenSSL import SSL
ctx = SSL.Context(SSL.TLSv1_METHOD)
ctx.use_privatekey_file(key_file)
ctx.use_certificate_file(cert_file)
WERKZEUG_OPTS['ssl_context'] = ctx
### WARNING: Ugh. Monkey pach in a fix to correct pyOpenSSL's
### incompatible ServerSocket implementation that accepts zero arguments
### for shutdown() instead of one. Fix up
### lib/python2.7/SocketServer.py:459's shutdown() call because that
### appears to be easier to quickly hack in versus patching
### pyOpenSSL. Again, don't use this for production, but it's great for
### testing.
def monkeyp_ssl_shutdown_request(self, request):
try:
request.shutdown()
except socket.error:
pass #some platforms may raise ENOTCONN here
self.close_request(request)
from SocketServer import TCPServer
TCPServer.shutdown_request = monkeyp_ssl_shutdown_request
# Derived values
SQLALCHEMY_DATABASE_URI = DATABASE_URI_FMT.format(**
{ 'username': DB_USER,
'password': DB_PASS,
'hostname': DB_HOST,
'port': DB_PORT,
'dbname': DB_NAME,
'schema': DB_SCHEMA,
})
# Explicitly specify what's a local request
scheme = 'https' if USE_SSL else 'http'
LOCAL_REQUEST = '%s://%s:%s/' % (scheme, CANONICAL_NAME, CANONICAL_PORT)