Remove HOST_* variables, use *_ADDRESS everywhere instead. Please note that those should only contain a FQDN (no port number). Derive a different key for admin/SECRET_KEY; this will invalidate existing sessions