Fix access to Khoj admin panel from non HTTPS custom domains

To access the Khoj admin panel from a non HTTPS custom domain the
`KHOJ_NO_SSL' and `KHOJ_DOMAIN' env vars need to be explictly set.

See the updated setup docs for details.

Resolves #662

documentation/docs/get-started/setup.mdx

@@ -189,10 +189,12 @@ Note: To start Khoj automatically in the background use [Task scheduler](https:/
 
 ### Setup Notes
 
-Optionally, you can use Khoj with a custom domain as well. To do so, you need to set the `KHOJ_DOMAIN` environment variable to your domain (e.g., `export KHOJ_DOMAIN=my-khoj-domain.com` or add it to your `docker-compose.yml`). By default, the Khoj server you set up will not be accessible outside of `localhost` or `127.0.0.1`.
+You can use Khoj with a custom domain as well. To do so, you need to set the `KHOJ_DOMAIN` environment variable to your domain (e.g., `export KHOJ_DOMAIN=my-khoj-domain.com` or add it to your `docker-compose.yml`). By default, the Khoj server you set up will not be accessible outside of `localhost` or `127.0.0.1`.
 
-:::warning[Must use an SSL certificate]
-If you're using a custom domain, you must use an SSL certificate. You can use [Let's Encrypt](https://letsencrypt.org/) to get a free SSL certificate for your domain.
+:::warning[Without HTTPS certificate]
+To expose Khoj on a custom domain over the public internet, use of an SSL certificate is strongly recommended. You can use [Let's Encrypt](https://letsencrypt.org/) to get a free SSL certificate for your domain.
+
+To disable HTTPS, set the `KHOJ_NO_HTTPS` environment variable to `True`. This can be useful if Khoj is only accessible behind a secure, private network.
 :::
 
 ### 2. Configure

src/khoj/app/settings.py

@@ -13,7 +13,7 @@ https://docs.djangoproject.com/en/4.2/ref/settings/
 import os
 from pathlib import Path
 
-from khoj.utils.helpers import in_debug_mode
+from khoj.utils.helpers import in_debug_mode, is_env_var_true
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -50,8 +50,8 @@ else:
     CSRF_COOKIE_DOMAIN = KHOJ_DOMAIN
     SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
-SESSION_COOKIE_SECURE = True
-CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = not is_env_var_true("KHOJ_NO_HTTPS")
+CSRF_COOKIE_SECURE = not is_env_var_true("KHOJ_NO_HTTPS")
 COOKIE_SAMESITE = "None"
 SESSION_COOKIE_SAMESITE = "None"
 

src/khoj/main.py

@@ -14,7 +14,7 @@ import threading
 import warnings
 from importlib.metadata import version
 
-from khoj.utils.helpers import in_debug_mode
+from khoj.utils.helpers import in_debug_mode, is_env_var_true
 
 # Ignore non-actionable warnings
 warnings.filterwarnings("ignore", message=r"snapshot_download.py has been made private", category=FutureWarning)
@@ -73,7 +73,8 @@ app.add_middleware(
         "http://localhost",  # To allow access from Obsidian Android app
         "http://localhost:*",
         "http://127.0.0.1:*",
-        f"https://{KHOJ_DOMAIN}",
+        f"https://{KHOJ_DOMAIN}" if not is_env_var_true("KHOJ_NO_HTTPS") else f"http://{KHOJ_DOMAIN}",
+        f"https://{KHOJ_DOMAIN}:*" if not is_env_var_true("KHOJ_NO_HTTPS") else f"http://{KHOJ_DOMAIN}:*",
         "app://khoj.dev",
     ],
     allow_credentials=True,