staticshield session proxy

Running it locally

Create a file (e.g., called run.sh) with the following:

#!/bin/bash
export FLASK_SERVE_DIR="/home/YOURUSER/workspace/somesite/build/html"
export FLASK_MOTHERSHIP="http://localhost:8888/api/staticshield"
# Optional path to 403.html, 404.html to show on those errors; leave empty to use default messages
export FLASK_ERROR_PAGES_DIR=""
#export FLASK_ERROR_PAGES_DIR="/home/YOURUSER/workspace/errorpages/"
export FLASK_SESSION_COOKIE_NAME="staticshield"
export FLASK_PERMANENT_SESSION_LIFETIME=7200

flask --app staticshield run

ruff check and fix

ruff check --fix --select I .

Deploying

Create a virtualenv with Flask and gunicorn to run it:

# Example, create wherever you like

mkdir /srv/venvs/staticshield
cd /srv/venvs/staticshield
python3 -m venv .
source bin/activate

# Optional if you don't have uv installed globally yet (you should ;) )
pip install uv

uv pip install -r requirements.in

Create a /etc/systemd/system/staticshield.service file to run the application:

[Unit]
Description=staticshield web application
After=network.target

[Service]
User=divault
WorkingDirectory=/srv/staticshield
#StandardOutput=file:/srv/logs/staticshield.log
Environment=FLASK_SERVE_DIR="/srv/some_static_website/html"
Environment=FLASK_MOTHERSHIP="https://api.example.com/api/staticshield"
# Optional path to 403.html, 404.html to show on those errors; leave empty to use default messages
Environment=FLASK_ERROR_PAGES_DIR=""
#Environment=FLASK_ERROR_PAGES_DIR="/srv/shared/errorpages/"
Environment=FLASK_SESSION_COOKIE_NAME="staticshield"
# Max session length of 2h
Environment=FLASK_PERMANENT_SESSION_LIFETIME=7200
ExecStart=/application/venvs/staticshield/bin/gunicorn -b localhost:8000 -w 4 staticshield:app
#ExecStart=/application/venvs/staticshield/bin/gunicorn -b unix:staticshield.sock -m 007 -w 4 staticshield:app
Restart=always

[Install]
WantedBy=multi-user.target

systemctl enable staticshield.service
systemctl start staticshield.service

nginx configuration for webserver:

server {
    listen 80;
    listen [::]:80;
    server_name docs.example.com;

    # Optimisations
    gzip on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_buffers 16 8k;
    gzip_min_length 256;
    gzip_types
        application/atom+xml
        application/geo+json
        application/javascript
        application/x-javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rdf+xml
        application/rss+xml
        application/xhtml+xml
        application/xml
        font/eot
        font/otf
        font/ttf
        image/svg+xml
        text/css
        text/javascript
        text/plain
        text/xml;

    # Do not show nginx version
    server_tokens off;

    # set_real_ip_from    192.168.1.254; # IP Address of HAProxy
    # real_ip_header      X-Forwarded-For;

    access_log  /var/log/nginx/access_docs.example.com.log;
    error_log  /var/log/nginx/error_docs.example.com.log  warn;

    # Show server host name as header
    # add_header X-Backend-Server $hostname;

    location / {
        if ($request_method = OPTIONS ) {
            add_header Content-Length 0;
            add_header Content-Type text/plain;
            return 200;
        }
        include proxy_params;
        # proxy_pass http://unix:/application/staticshield/staticshield.sock;
        proxy_pass http://127.0.0.1:8000;
    }

    # Optional, when using the FLASK_ERROR_PAGES_DIR
    # location /404images/ {
    #     alias /srv/shared/errorpages/;
    # }

    location /favicon.ico {
        alias /srv/whatever/_static/favicon.ico;
    }

    location  /robots.txt {
        alias /srv/whatever/robots_disallow_all.txt;
    }
}