From ec496e5ebd132f0663d85b736b83ccd4ab83d733 Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Mon, 5 Aug 2024 16:58:11 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(helm)=20allow=20server=20?= =?UTF-8?q?host=20and=20whitelist=20pod=20IP=20for=20health=20checks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated Django's ALLOWED_HOSTS setting from '*' to the specific host of the server. Setting ALLOWED_HOSTS to '*' is a security risk as it allows any host to access the application, potentially exposing it to malicious attacks. Restricting ALLOWED_HOSTS to the server's host ensures only legitimate requests are processed. In a Kubernetes environment, we also needed to whitelist the pod's IP address to allow health checks to pass. This ensures that Kubernetes liveness and readiness probes can access the application to verify its health. --- bin/{update_openapi_schema => update-openapi-schema} | 0 src/backend/meet/settings.py | 7 ++++++- src/helm/env.d/dev/values.meet.yaml.gotmpl | 2 +- src/helm/env.d/preprod/values.meet.yaml.gotmpl | 2 +- src/helm/env.d/production/values.meet.yaml.gotmpl | 2 +- src/helm/env.d/staging/values.meet.yaml.gotmpl | 2 +- 6 files changed, 10 insertions(+), 5 deletions(-) rename bin/{update_openapi_schema => update-openapi-schema} (100%) diff --git a/bin/update_openapi_schema b/bin/update-openapi-schema similarity index 100% rename from bin/update_openapi_schema rename to bin/update-openapi-schema diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py index d34b0316..6126be5e 100755 --- a/src/backend/meet/settings.py +++ b/src/backend/meet/settings.py @@ -12,6 +12,7 @@ import json import os +from socket import gethostbyname, gethostname from django.utils.translation import gettext_lazy as _ @@ -509,7 +510,11 @@ class Production(Base): """ # Security - ALLOWED_HOSTS = values.ListValue(None) + ALLOWED_HOSTS = [ + *values.ListValue([], environ_name="ALLOWED_HOSTS"), + gethostbyname(gethostname()), + ] + CSRF_TRUSTED_ORIGINS = values.ListValue([]) SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True diff --git a/src/helm/env.d/dev/values.meet.yaml.gotmpl b/src/helm/env.d/dev/values.meet.yaml.gotmpl index c3ad5f99..e1f735eb 100644 --- a/src/helm/env.d/dev/values.meet.yaml.gotmpl +++ b/src/helm/env.d/dev/values.meet.yaml.gotmpl @@ -8,7 +8,7 @@ backend: envVars: DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.127.0.0.1.nip.io,http://meet.127.0.0.1.nip.io DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" + DJANGO_ALLOWED_HOSTS: meet.127.0.0.1.nip.io DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} DJANGO_SETTINGS_MODULE: meet.settings DJANGO_SILENCED_SYSTEM_CHECKS: security.W004, security.W008 diff --git a/src/helm/env.d/preprod/values.meet.yaml.gotmpl b/src/helm/env.d/preprod/values.meet.yaml.gotmpl index 9e3732db..283f455d 100644 --- a/src/helm/env.d/preprod/values.meet.yaml.gotmpl +++ b/src/helm/env.d/preprod/values.meet.yaml.gotmpl @@ -10,7 +10,7 @@ backend: envVars: DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-preprod.beta.numerique.gouv.fr,https://meet-preprod.beta.numerique.gouv.fr DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" + DJANGO_ALLOWED_HOSTS: meet-preprod.beta.numerique.gouv.fr DJANGO_SUPERUSER_EMAIL: secretKeyRef: name: backend diff --git a/src/helm/env.d/production/values.meet.yaml.gotmpl b/src/helm/env.d/production/values.meet.yaml.gotmpl index 6fa89687..ff654d25 100644 --- a/src/helm/env.d/production/values.meet.yaml.gotmpl +++ b/src/helm/env.d/production/values.meet.yaml.gotmpl @@ -10,7 +10,7 @@ backend: envVars: DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.numerique.gouv.fr DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" + DJANGO_ALLOWED_HOSTS: meet.numerique.gouv.fr DJANGO_SECRET_KEY: secretKeyRef: name: backend diff --git a/src/helm/env.d/staging/values.meet.yaml.gotmpl b/src/helm/env.d/staging/values.meet.yaml.gotmpl index a7f53102..c1c05477 100644 --- a/src/helm/env.d/staging/values.meet.yaml.gotmpl +++ b/src/helm/env.d/staging/values.meet.yaml.gotmpl @@ -10,7 +10,7 @@ backend: envVars: DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-staging.beta.numerique.gouv.fr,https://meet-staging.beta.numerique.gouv.fr DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" + DJANGO_ALLOWED_HOSTS: meet-staging.beta.numerique.gouv.fr DJANGO_SECRET_KEY: secretKeyRef: name: backend