1
0
Fork
You've already forked staticshield
0
Shield a static website by requiring a login flow through a third site
  • Python 100%
2025年11月14日 14:34:20 +01:00
pyproject.toml Project meta info 2025年11月14日 14:34:02 +01:00
README.md More info 2025年11月14日 14:33:53 +01:00
requirements-dev.in Initial commit 2025年03月18日 13:52:10 +01:00
requirements.in Example configurations 2025年03月18日 16:24:41 +01:00
staticshield.py isort fix 2025年11月14日 14:34:20 +01:00

staticshield session proxy

Running it locally

Create a file (e.g., called run.sh) with the following:

#!/bin/bash
export FLASK_SERVE_DIR="/home/YOURUSER/workspace/somesite/build/html"
export FLASK_MOTHERSHIP="http://localhost:8888/api/staticshield"
# Optional path to 403.html, 404.html to show on those errors; leave empty to use default messages
export FLASK_ERROR_PAGES_DIR=""
#export FLASK_ERROR_PAGES_DIR="/home/YOURUSER/workspace/errorpages/"
export FLASK_SESSION_COOKIE_NAME="staticshield"
export FLASK_PERMANENT_SESSION_LIFETIME=7200
flask --app staticshield run

ruff check and fix

ruff check --fix --select I .

Deploying

Create a virtualenv with Flask and gunicorn to run it:

# Example, create wherever you like
mkdir /srv/venvs/staticshield
cd /srv/venvs/staticshield
python3 -m venv .
source bin/activate
# Optional if you don't have uv installed globally yet (you should ;) - see https://docs.astral.sh/uv/ )
pip install uv
uv pip install -r requirements.in

Create a /etc/systemd/system/staticshield.service file to run the application:

[Unit]
Description=staticshield web application
After=network.target
[Service]
User=change_me_to_user_the_app_runs_under
WorkingDirectory=/srv/staticshield
#StandardOutput=file:/srv/logs/staticshield.log
Environment=FLASK_SERVE_DIR="/srv/some_static_website/html"
Environment=FLASK_MOTHERSHIP="https://api.example.com/api/staticshield"
# Optional path to 403.html, 404.html to show on those errors; leave empty to use default messages
Environment=FLASK_ERROR_PAGES_DIR=""
#Environment=FLASK_ERROR_PAGES_DIR="/srv/shared/errorpages/"
Environment=FLASK_SESSION_COOKIE_NAME="staticshield"
# Max session length of 2h
Environment=FLASK_PERMANENT_SESSION_LIFETIME=7200
ExecStart=/application/venvs/staticshield/bin/gunicorn -b localhost:8000 -w 4 staticshield:app
#ExecStart=/application/venvs/staticshield/bin/gunicorn -b unix:staticshield.sock -m 007 -w 4 staticshield:app
Restart=always
[Install]
WantedBy=multi-user.target
systemctl enable staticshield.service
systemctl start staticshield.service

nginx configuration for webserver:

server {
 listen 80;
 listen [::]:80;
 server_name docs.example.com;
 # Optimisations
 gzip on;
 gzip_disable "MSIE [1-6]\.(?!.*SV1)";
 gzip_http_version 1.1;
 gzip_vary on;
 gzip_comp_level 6;
 gzip_proxied any;
 gzip_buffers 16 8k;
 gzip_min_length 256;
 gzip_types
 application/atom+xml
 application/geo+json
 application/javascript
 application/x-javascript
 application/json
 application/ld+json
 application/manifest+json
 application/rdf+xml
 application/rss+xml
 application/xhtml+xml
 application/xml
 font/eot
 font/otf
 font/ttf
 image/svg+xml
 text/css
 text/javascript
 text/plain
 text/xml;
 # Do not show nginx version
 server_tokens off;
 # set_real_ip_from 192.168.1.254; # IP Address of HAProxy
 # real_ip_header X-Forwarded-For;

 access_log /var/log/nginx/access_docs.example.com.log;
 error_log /var/log/nginx/error_docs.example.com.log warn;
 # Show server host name as header
 # add_header X-Backend-Server $hostname;

 location / {
 if ($request_method = OPTIONS ) {
 add_header Content-Length 0;
 add_header Content-Type text/plain;
 return 200;
 }
 include proxy_params;
 # proxy_pass http://unix:/application/staticshield/staticshield.sock;
 proxy_pass http://127.0.0.1:8000;
 }
 # Optional, when using the FLASK_ERROR_PAGES_DIR
 # location /404images/ {
 # alias /srv/shared/errorpages/;
 # }

 location /favicon.ico {
 alias /srv/whatever/_static/favicon.ico;
 }
 location /robots.txt {
 alias /srv/whatever/robots_disallow_all.txt;
 }
}