🔒️(helm) allow server host and whitelist pod IP for health checks

Updated Django's ALLOWED_HOSTS setting from '*' to the specific host of the server. Setting ALLOWED_HOSTS to '*' is a security risk as it allows any host to access the application, potentially exposing it to malicious attacks. Restricting ALLOWED_HOSTS to the server's host ensures only legitimate requests are processed. In a Kubernetes environment, we also needed to whitelist the pod's IP address to allow health checks to pass. This ensures that Kubernetes liveness and readiness probes can access the application to verify its health.
numerique-gouv · Aug 5, 2024 · ec496e5 · ec496e5
1 parent 6948f92
commit ec496e5
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 5 deletions.
diff --git a/bin/update_openapi_schema → bin/update-openapi-schema b/bin/update_openapi_schema → bin/update-openapi-schema
diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py
@@ -12,6 +12,7 @@
 
 import json
 import os
+from socket import gethostbyname, gethostname
 
 from django.utils.translation import gettext_lazy as _
 
@@ -509,7 +510,11 @@ class Production(Base):
     """
 
     # Security
-    ALLOWED_HOSTS = values.ListValue(None)
+    ALLOWED_HOSTS = [
+        *values.ListValue([], environ_name="ALLOWED_HOSTS"),
+        gethostbyname(gethostname()),
+    ]
+
     CSRF_TRUSTED_ORIGINS = values.ListValue([])
     SECURE_BROWSER_XSS_FILTER = True
     SECURE_CONTENT_TYPE_NOSNIFF = True

diff --git a/src/helm/env.d/dev/values.meet.yaml.gotmpl b/src/helm/env.d/dev/values.meet.yaml.gotmpl
@@ -8,7 +8,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.127.0.0.1.nip.io,http://meet.127.0.0.1.nip.io
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.127.0.0.1.nip.io
     DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
     DJANGO_SETTINGS_MODULE: meet.settings
     DJANGO_SILENCED_SYSTEM_CHECKS: security.W004, security.W008

diff --git a/src/helm/env.d/preprod/values.meet.yaml.gotmpl b/src/helm/env.d/preprod/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-preprod.beta.numerique.gouv.fr,https://meet-preprod.beta.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-preprod.beta.numerique.gouv.fr
     DJANGO_SUPERUSER_EMAIL:
       secretKeyRef:
         name: backend

diff --git a/src/helm/env.d/production/values.meet.yaml.gotmpl b/src/helm/env.d/production/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.numerique.gouv.fr
     DJANGO_SECRET_KEY:
       secretKeyRef:
         name: backend

diff --git a/src/helm/env.d/staging/values.meet.yaml.gotmpl b/src/helm/env.d/staging/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-staging.beta.numerique.gouv.fr,https://meet-staging.beta.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-staging.beta.numerique.gouv.fr
     DJANGO_SECRET_KEY:
       secretKeyRef:
         name: backend