admin/GenExam-IA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Align Sinbad2 HTTPS deployment with orcid2sword reverse-proxy pattern.

Browse Source 
This adds nginx dual-path routing, forwarded proxy headers, Uvicorn proxy-headers, production security settings, and deployment docs for https://sinbad2.ujaen.es/generadorexamenesllm/.
This commit is contained in:
Mireya Cueto Garrido
2026-06-03 10:12:05 +02:00
parent ca6d370585
commit 7dcc7dc0e1
13 changed files with 230 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/core/config.py
+11
View File
@@ -7,6 +7,9 @@ from pydantic_settings import BaseSettings, SettingsConfigDict
class Settings(BaseSettings):
app_name: str = "GenExamenes IA"
environment: str = "local"
public_base_url: str = "https://sinbad2.ujaen.es/generadorexamenesllm"
trusted_hosts: str = "sinbad2.ujaen.es,localhost,127.0.0.1"
security_hsts_seconds: int = Field(default=31_536_000, ge=0)
api_prefix: str = ""
api_key: str = Field(min_length=16)
database_url: str = "postgresql+psycopg://genexamenes:genexamenes@localhost:5432/genexamenes"
@@ -41,10 +44,18 @@ class Settings(BaseSettings):
extra="ignore",
)
@property
def is_production(self) -> bool:
return self.environment.lower() in {"production", "prod"}
@property
def cors_origins(self) -> list[str]:
return [origin.strip() for origin in self.allowed_origins.split(",") if origin.strip()]
@property
def trusted_hosts_list(self) -> list[str]:
return [host.strip() for host in self.trusted_hosts.split(",") if host.strip()]
@lru_cache
def get_settings() -> Settings:
backend/app/core/security_headers.py
+30
View File
@@ -0,0 +1,30 @@
from fastapi import Request, Response
from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
from app.core.config import Settings
class SecurityHeadersMiddleware(BaseHTTPMiddleware):
"""Cabeceras de seguridad; HSTS en producción o cuando el proxy indica HTTPS."""
def __init__(self, app: object, settings: Settings) -> None:
super().__init__(app)
self._settings = settings
async def dispatch(self, request: Request, call_next: RequestResponseEndpoint) -> Response:
response = await call_next(request)
response.headers.setdefault("X-Content-Type-Options", "nosniff")
response.headers.setdefault("X-Frame-Options", "SAMEORIGIN")
response.headers.setdefault("Referrer-Policy", "strict-origin-when-cross-origin")
forwarded_proto = request.headers.get("x-forwarded-proto", request.url.scheme)
is_https = forwarded_proto == "https" or request.url.scheme == "https"
if is_https or self._settings.is_production:
hsts = f"max-age={self._settings.security_hsts_seconds}"
if self._settings.is_production:
hsts += "; includeSubDomains"
response.headers.setdefault("Strict-Transport-Security", hsts)
return response