Verify Weblate's SSL configuration

Originally created by @zen on #17339 (Redmine)

The Weblate config file has some SSL-related configurations that come from Django, and while upgrading we decided we had to double check these configs. I suggest we leave comments in file to make it easier to merge the diff when there’s an upgrade.

Configurations to check:

• SECURE_PROXY_SSL_HEADER
• ENABLE_HTTPS
• SECURE_SSL_REDIRECT
• SESSION_COOKIE_SECURE
• CSRF_COOKIE_SECURE
• SECURE_HSTS_SECONDS
• SECURE_HSTS_INCLUDE_SUBDOMAINS
• SECURE_HSTS_PRELOAD

SECURE_PROXY_SSL_HEADER

• Doc (too long to copy here).
• Current value: None (default, not set)

Facts:

• Weblate is behind a proxy.
• Only HTTPS requests are proxied.
• Default nginx proxy_params are included.
• proxy_set_header X-Forwarded-Proto $scheme; is set by that file inclusion.

This means that:

• All requests that reach Weblate are http but have the X-Forwarded-Proto https; header set.
• Weblate currently thinks all requests are not secure, because by default it'll look at the http[s]:// part of the URL to decide that.

Conclusion is that we need to set the following in our config:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

ENABLE_HTTPS

• Doc: Whether to send links to Weblate as https or http. This setting affects sent mails and generated absolute URLs.
• Current value: False

Conclusion is that we need to set the following in our config:

ENABLE_HTTPS = True

SECURE_SSL_REDIRECT

• Doc: If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS (except for those URLs matching a regular expression listed in SECURE_REDIRECT_EXEMPT).
• Current value: ENABLE_HTTPS, which is currently set to False.

Conclusion is that we have to explicitely set this to False, as we'll be changing the ENABLE_HTTPS to True (see above):

SECURE_SSL_REDIRECT = False

SESSION_COOKIE_SECURE

• Doc: Whether to use a secure cookie for the session cookie. If this is set to True, the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
• Current value: True

Conclusion is that it's good as it is right now.

CSRF_COOKIE_SECURE

• Doc: Whether to use a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent with an HTTPS connection.
• Current value: ENABLE_HTTPS, which is currently False.

Conclusion is that it's good as is because we'll change ENABLE_HTTPS to True, but probably makes sense to explicitely mark it as True:

CSRF_COOKIE_SECURE = True

SECURE_HSTS_*

Current values:

• SECURE_HSTS_SECONDS = 0
• SECURE_HSTS_PRELOAD = False
• SECURE_HSTS_INCLUDE_SUBDOMAINS = False

My understanding is that all HTTPS related config should be made on the proxy, so these values are OK as is in the proxied Weblate/Django context.