🔒️(helm) allow server host and whitelist pod IP for health checks

Updated Django's ALLOWED_HOSTS setting from '*' to the specific host of the server. Setting ALLOWED_HOSTS to '*' is a security risk as it allows any host to access the application, potentially exposing it to malicious attacks. Restricting ALLOWED_HOSTS to the server's host ensures only legitimate requests are processed. In a Kubernetes environment, we also needed to whitelist the pod's IP address to allow health checks to pass. This ensures that Kubernetes liveness and readiness probes can access the application to verify its health.
2024-08-05 16:58:11 +02:00
parent aef85bb1ab
commit d965ee7060
6 changed files with 10 additions and 5 deletions
--- a/bin/update-openapi-schema
+++ b/bin/update-openapi-schema
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -12,6 +12,7 @@ https://docs.djangoproject.com/en/3.1/ref/settings/

 import json
 import os
+from socket import gethostbyname, gethostname

 from django.utils.translation import gettext_lazy as _

@@ -514,7 +515,11 @@ class Production(Base):
    """

    # Security
-    ALLOWED_HOSTS = values.ListValue(None)
+    ALLOWED_HOSTS = [
+        *values.ListValue([], environ_name="ALLOWED_HOSTS"),
+        gethostbyname(gethostname()),
+    ]
+
    CSRF_TRUSTED_ORIGINS = values.ListValue([])
    SECURE_BROWSER_XSS_FILTER = True
    SECURE_CONTENT_TYPE_NOSNIFF = True
--- a/src/helm/env.d/dev/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.meet.yaml.gotmpl
@@ -8,7 +8,7 @@ backend:
  envVars:
    DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.127.0.0.1.nip.io,http://meet.127.0.0.1.nip.io
    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.127.0.0.1.nip.io
    DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
    DJANGO_SETTINGS_MODULE: meet.settings
    DJANGO_SILENCED_SYSTEM_CHECKS: security.W004, security.W008
--- a/src/helm/env.d/preprod/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/preprod/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
  envVars:
    DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-preprod.beta.numerique.gouv.fr,https://meet-preprod.beta.numerique.gouv.fr
    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-preprod.beta.numerique.gouv.fr
    DJANGO_SUPERUSER_EMAIL:
      secretKeyRef:
        name: backend
--- a/src/helm/env.d/production/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/production/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
  envVars:
    DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.numerique.gouv.fr
    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.numerique.gouv.fr
    DJANGO_SECRET_KEY:
      secretKeyRef:
        name: backend
--- a/src/helm/env.d/staging/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/staging/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
  envVars:
    DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-staging.beta.numerique.gouv.fr,https://meet-staging.beta.numerique.gouv.fr
    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-staging.beta.numerique.gouv.fr
    DJANGO_SECRET_KEY:
      secretKeyRef:
        name: backend