sdonk / django-admin-ip-restrictor Goto Github PK

HTTP_X_FORWARDED_FOR can contain a comma seperated list of IPs, and you only want to check one of them (which one may vary depending on if you use a CDN or not).

You can prepend your own IP using curl, e.g.

curl --header X-Forwarded-For '1.1.1.1,2.2.2.2,3.3.3.3 ..'

You get a resulting x-forwarded of: (edited)
1.1.1.1, 2.2.2.2, 3.3.3.3, {the client's real ip}, {cloudfront's ip}

So you need need a way of telling django-admin-restrictor the index of the IP you want from the end, I guess the sane default for this would be -1, but for the sites using cloudfront they will want -2.

Invest PIR has a solution to grab the second to last IP, which is hardcoded, along with unit tests in this PR
uktrade/invest-pir-api@5454251

I'm not sure how the setting would be spelt X_FORWARDED_INDEX ?

I believe we're seeing a bug related to the current open pull-request whereby requests to non-restricted IPs are throwing exceptions because they're private IPs. In the example below, our config is setup to just restrict access to ["admin"] yet, we're seeing exceptions related to the middleware

"GET /api/config HTTP/1.0" 500 27<socket.socket fd=6, family=AddressFamily.AF_INET, 
type=SocketKind.SOCK_STREAM, proto=0, laddr=('172.17.0.2', 8000), raddr=('172.17.0.3', 46444)>Traceback (most recent call last):
  File "/root/.local/share/virtualenvs/portal-lhpYkIEg/lib/python3.7/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/root/.local/share/virtualenvs/portal-lhpYkIEg/lib/python3.7/site-packages/django/core/handlers/base.py", line 178, in _get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)
  File "/root/.local/share/virtualenvs/portal-lhpYkIEg/lib/python3.7/site-packages/admin_ip_restrictor/middleware.py", line 81, in process_view
    ip = self.get_ip(request)
  File "/root/.local/share/virtualenvs/portal-lhpYkIEg/lib/python3.7/site-packages/admin_ip_restrictor/middleware.py", line 76, in get_ip
    assert is_routable, 'IP is private'
AssertionError: IP is private 

Blocking ips is fairly obvious, not so much with ip ranges.

It would be good to have a couple of example in the documentation showing this.

https://www.djangoproject.com/download/

• django 1.11
• django 2.0
• django 2.1
• django 3.0
• django 3.1

https://www.python.org/dev/peps/pep-0494/#id16

• python 3.5
• python 3.6

Then we should cut a major release once it's done

Which is causing my PR to fail :/