Remove Nginx-specific static and media serving, and serve media through Django using WhiteNoise and FileResponse.

photo21/settings.py

@@ -46,6 +46,9 @@ ADMINS = [tuple(a.split(":")) for a in config("ADMINS", default="", cast=Csv())
 SESSION_COOKIE_SECURE = not DEBUG
 CSRF_COOKIE_SECURE = not DEBUG
 
+# Trust Caddy's forwarded proto header
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 # Remember HTTPS for 1 year
 SECURE_HSTS_SECONDS = 31536000
 SECURE_HSTS_INCLUDE_SUBDOMAINS = True
@@ -77,6 +80,7 @@ if DEBUG:
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
+    "whitenoise.middleware.WhiteNoiseMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
@@ -189,6 +193,18 @@ STATIC_ROOT = os.path.join(BASE_DIR, "static/")
 MEDIA_ROOT = os.path.join(BASE_DIR, "media")
 MEDIA_URL = "/media/"
 
+STORAGES = {
+    "default": {
+        "BACKEND": "django.core.files.storage.FileSystemStorage",
+    },
+    "staticfiles": {
+        "BACKEND": "photo21.storage.CompressedManifestStorage",
+    },
+}
+
+
+WHITENOISE_MANIFEST_STRICT = False
+
 LOCALE_PATHS = [os.path.join(BASE_DIR, "photo21/locale")]
 
 FIXTURE_DIRS = [os.path.join(BASE_DIR, "photo21/fixtures")]

photo21/storage.py

@@ -0,0 +1,12 @@
+from whitenoise.storage import CompressedManifestStaticFilesStorage
+
+
+class CompressedManifestStorage(CompressedManifestStaticFilesStorage):
+    """Like CompressedManifestStaticFilesStorage but silently skips missing
+    referenced files (e.g. source maps not included in the package)."""
+
+    def hashed_name(self, name, content=None, filename=None):
+        try:
+            return super().hashed_name(name, content, filename)
+        except ValueError:
+            return name

photo21/views.py

@@ -2,21 +2,29 @@
 # Copyright (C) 2021-2022  Amicale des élèves de l'ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import os
+
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpResponse
+from django.http import FileResponse, Http404
 from django.views.generic import ListView, View
 from photologue.models import Gallery
 
 
-
-class MediaAccess(LoginRequiredMixin, View):
+class MediaAccess(View):
     def get(self, request, path):
-        response = HttpResponse()
-        # Content-type will be detected by nginx
-        del response["Content-Type"]
-        response["X-Accel-Redirect"] = "/protected/media/" + path
-        response["Cache-Control"] = 'max-age=2678400'
+        if not request.user.is_authenticated and not request.session.get('public_gallery_access'):
+            from django.contrib.auth.views import redirect_to_login
+            return redirect_to_login(request.get_full_path())
+        media_root = os.path.realpath(settings.MEDIA_ROOT)
+        file_path = os.path.realpath(os.path.join(media_root, path))
+        if not file_path.startswith(media_root + os.sep):
+            raise Http404
+        if not os.path.isfile(file_path):
+            raise Http404
+        response = FileResponse(open(file_path, 'rb'))
+        response['Cache-Control'] = 'max-age=2678400'
         return response