2 files changed, 23 insertions, 9 deletions

diff --git a/rpki/django_settings.py b/rpki/django_settings.py
index eb3a184b..d3cadcfc 100644
--- a/rpki/django_settings.py
+++ b/rpki/django_settings.py
@@ -37,15 +37,20 @@ cfg = rpki.config.parser()
 
 # Do -not- turn on DEBUG here except for short-lived tests, otherwise
 # long-running programs like irdbd will eventually run out of memory
-# and crash.
+# and crash.  This is also why this is controlled by an environment
+# variable rather than by an rpki.conf setting: just because we want
+# debugging enabled in the GUI doesn't mean we want it in irdb.
 #
-# If you must enable debugging, use django.db.reset_queries() to
-# clear the query list manually, but it's probably better just to
-# run with debugging disabled, since that's the expectation for
-# production code.
+# If you must enable debugging, you may need to add code that uses
+# django.db.reset_queries() to clear the query list manually, but it's
+# probably better just to run with debugging disabled, since that's
+# the expectation for production code.
 #
 # https://docs.djangoproject.com/en/dev/faq/models/#why-is-django-leaking-memory
 
+if os.getenv("RPKI_DJANGO_DEBUG") == "yes":
+    DEBUG = True
+
 
 # Database configuration.  This is always enabled, and uses a database
 # "router" to handle multiple databases.  We may want to add yet
@@ -171,6 +176,8 @@ if os.getenv("RPKI_GUI_ENABLE") == "yes":
     def get_allowed_hosts():
         allowed_hosts = set(cfg.multiget("allowed-hosts", section = "web_portal"))
         allowed_hosts.add(socket.getfqdn())
+        allowed_hosts.add("127.0.0.1")
+        allowed_hosts.add("::1")
         try:
             import netifaces
             for interface in netifaces.interfaces():
diff --git a/rpki/gui/decorators.py b/rpki/gui/decorators.py
index 69d20c46..75efeae0 100644
--- a/rpki/gui/decorators.py
+++ b/rpki/gui/decorators.py
@@ -15,15 +15,22 @@
 __version__ = '$Id$'
 
 from django import http
+from os import getenv
 
 
-def tls_required(f):
-    """Decorator which returns a 500 error if the connection is not secured
-    with TLS (https).
+# Don't set this in production, ever.  Really.  You have been warned.
+#
+_allow_plain_http_for_testing = getenv("ALLOW_PLAIN_HTTP_FOR_TESTING") == "I solemnly swear that I am not running this in production"
+
 
+def tls_required(f):
+    """
+    Decorator which returns a 500 error if the connection is not
+    secured with TLS (https).
     """
+
     def _tls_required(request, *args, **kwargs):
-        if not request.is_secure():
+        if not request.is_secure() and not _allow_plain_http_for_testing:
             return http.HttpResponseServerError(
                 'This resource may only be accessed securely via https',
                 content_type='text/plain')