search

slugbucket / crossword-hints

Python Flask web application to aid decipherment of cryptic crossword clues for known setters
GNU General Public License v3.0
1 stars 0 forks source link

Block access to editable section #10

Closed slugbucket closed 5 years ago

slugbucket commented 5 years ago

The AWS documentation describes how to override the nginx (reverse proxy) configuration of an EB instance:

Use this guide to block access to the editable sections of the application until an authentication mechanism can be applied.

slugbucket commented 5 years ago

Track the changes under feat0005

$ git flow feature start feat0005
slugbucket commented 5 years ago

The update should consist of a set of deny rules to applied to nginx through a file .ebextensions/nginx/conf.d/xword-hints-deny.conf with content like

location ~ /(crossword-solutions|crossword-setters|setter-types|solution-types) {
   deny all;
   return 404;
}
slugbucket commented 5 years ago

Local testing suggests that all we need to prevent is access to the new, edit and delete routes with nginx locations like

    location ~ /(crossword-solutions|crossword-setters|setter-types|solution-types)/[0-9]+/(edit|delete) {
       deny all;
       return 403;
    }
    location ~ /(crossword-solutions|crossword-setters|setter-types|solution-types)/new {
       deny all;
       return 403;
    }

where we need to allow for the item id to be found in the edit and delete actions.

slugbucket commented 5 years ago

Including the nginx deny rules has no effect on the availability of the new, edit and delete routes when the update is deployed to ElasticBeanstalk so it doesn't appear that including location restrictions by means of .ebextensions doesn't work; perhaps we just need to overwrite the whole nginx.conf file with the location restrictions within. Just need to find a sample nginx.conf used by ElasticBeanstalk for Python applications.

slugbucket commented 5 years ago

Attempting to follow a suggestion at https://stackoverflow.com/questions/23709841/how-to-change-nginx-config-in-amazon-elastic-beanstalk-running-a-docker-instance with the following content:

files:
      "/etc/nginx/conf.d/000_xword_hints_deny.conf":
      content: |
        location ~ /(crossword-solutions|crossword-setters|setter-types|solution
-types)/[0-9]+/(edit|delete) {
           deny all;
           return 403;
        }
        location ~ /(crossword-solutions|crossword-setters|setter-types|solution
-types)/new {
           deny all;
           return 403;
        }

throw the following deployment error

Service:AmazonCloudFormation, Message:[/Resources/AWSEBAutoScalingGroup/Metadata/AWS::CloudFormation::Init/prebuild_0_crossword_hints/files//etc/nginx/conf.d/000_xword_hints_deny.conf] 'null' values are not allowed in templates

Maybe this means that the file needs to specified as etc/nginx/conf.d/000_xword_hints_deny.conf?

slugbucket commented 5 years ago

Using a relative path gives the same error.

slugbucket commented 5 years ago

The null value errors were caused by bad YML indentation, but fixing it had no impact on blocking access to the restricted resources.

slugbucket commented 5 years ago

The instructions at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.ec2connect.html describe how to access the instance over SSH so that I can check the default nginx configuration:

$ ssh -i ~/.ssh/private-key ec2-user@ec2-pub-ip-addr-ess.eu-west-1.compute.amazonaws.com

Checking the process list shows that the instance is actually running Apache httpd!

slugbucket commented 5 years ago

For an apache http installation the following configuration in /etc/httpd/conf.d/xword-hints-deny.conf will do the trick

<LocationMatch "/(crossword-solutions|crossword-setters|setter-types|solution-types)/[0-9]+/(edit|delete)">
  Require all denied
</LocationMatch>
<LocationMatch "/(crossword-solutions|crossword-setters|setter-types|solution-types)/new">
  Require all denied
</LocationMatch>

We probably also ought to include a custom 403 error page showing the basic layout.

slugbucket commented 5 years ago

With the correct configuration deployed to AWS using the Jenkins job and no access to the editable resources we can close this ticket.

$ git flow feature finish feat0005
Switched to branch 'develop'
Your branch is up to date with 'origin/develop'.
Merge made by the 'recursive' strategy.
 .ebextensions/options.config | 12 ++++++++++++
 crossword_hints.ini          | 23 +++++++++++++++++++++++
 crossword_hints.py           |  7 +++++--
 default_settings.py          |  5 ++++-
 static/403-xword-hints.html  | 23 +++++++++++++++++++++++
 5 files changed, 67 insertions(+), 3 deletions(-)
 create mode 100644 crossword_hints.ini
 create mode 100644 static/403-xword-hints.html
To github.com:slugbucket/crossword-hints.git
 - [deleted]         feature/feat0005
Deleted branch feature/feat0005 (was adecc1a).

Summary of actions:
- The feature branch 'feature/feat0005' was merged into 'develop'
- Feature branch 'feature/feat0005' has been locally deleted; it has been remotely deleted from 'origin'
- You are now on branch 'develop'
slugbucket commented 5 years ago

Issue resolved.