Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-10-28 Thread Peter Baumgartner 
I implemented something for this in the django-alive package via a
middleware that will bypass the host checking:

https://github.com/lincolnloop/django-alive/#disabling-allowed_hosts-for-healthchecks
https://github.com/lincolnloop/django-alive/blob/master/django_alive/middleware.py

On Fri, Sep 14, 2018 at 3:18 PM Adam Johnson  wrote:

> The snippet Matt posted is the same technique I've used for ages, albeit
> using the ec2-metadata  library. I
> think it's perfectly fine as-is, the Host header EC2 uses is actually
> predictable as the EC2 Private IP. I don't think Django needs another
> setting that disables a security feature and could be open to
> misconfiguration.
>
> On Fri, 14 Sep 2018 at 20:29, Mattia Procopio  wrote:
>
>> What I usually do is rewriting the Host value at webserver level using
>> one of the allowed when receiving healthchecks from a load balancer. This
>> is not optimal and having a whitelist for some uris to allow requests
>> without a valid host could make this specific thing easier
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers  (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-developers@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/e51aa4d8-d263-4448-ab3c-d0717035fbcb%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Adam
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMyDDM0_uL%2B7APa%3DwgvU_GZaqO8fXDJOWAFKf0jGGB1pMVs2kg%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAAoxf4v_eJ-%3D%3Dpd-ZA42PLkmN2Gq_QNeHz_D%3DsunZZexVqdt5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Adam Johnson 
The snippet Matt posted is the same technique I've used for ages, albeit
using the ec2-metadata  library. I
think it's perfectly fine as-is, the Host header EC2 uses is actually
predictable as the EC2 Private IP. I don't think Django needs another
setting that disables a security feature and could be open to
misconfiguration.

On Fri, 14 Sep 2018 at 20:29, Mattia Procopio  wrote:

> What I usually do is rewriting the Host value at webserver level using one
> of the allowed when receiving healthchecks from a load balancer. This is
> not optimal and having a whitelist for some uris to allow requests without
> a valid host could make this specific thing easier
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/e51aa4d8-d263-4448-ab3c-d0717035fbcb%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM0_uL%2B7APa%3DwgvU_GZaqO8fXDJOWAFKf0jGGB1pMVs2kg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Mattia Procopio 
What I usually do is rewriting the Host value at webserver level using one of 
the allowed when receiving healthchecks from a load balancer. This is not 
optimal and having a whitelist for some uris to allow requests without a valid 
host could make this specific thing easier

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/e51aa4d8-d263-4448-ab3c-d0717035fbcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Collin Anderson 
You might be able to handle this by a middleware that gets called early
enough in the process (before CommonMiddleware) to avoid calling
request.get_host(). A simple if request.path == '/statuscheck/': return
HttpResponse() should work. As long as you never call request.get_host(),
django doesn't about ALLOWED_HOSTS.

Maybe we should patch CommonMiddleware to avoid calling request.get_host()
if not needed:
https://github.com/django/django/compare/master...collinanderson:avoidrequest.get_host

On Fri, Sep 14, 2018 at 1:55 PM Matt Pegler  wrote:

> AWS will send a request to a specific path and make sure it receives a
> status 200 response. If the response status is not 200, it will consider
> that instance unhealthy and will not route traffic to that instance. The
> path can be anything that can be used as a signal that the application is
> running properly.
>
> -Matt
>
> On Fri, Sep 14, 2018 at 11:29 AM, Tim Graham  wrote:
>
>> Sorry, I still don't understand what "whitelisting the health check path" 
>> looks like.
>>
>> Here's the snippet for anyone reading the thread after the pastebin expires.
>>
>> ALLOWED_HOSTS = ['ourdomain.com']EC2_PRIVATE_IP = Nonetry:  # AWS provided 
>> magic service that returns metadata about the instance making the call  
>> EC2_PRIVATE_IP = 
>> requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout = 
>> 0.01).textexcept requests.exceptions.RequestException:  passif 
>> EC2_PRIVATE_IP:  ALLOWED_HOSTS.append(EC2_PRIVATE_IP)
>>
>>
>>
>> On Friday, September 14, 2018 at 2:03:11 PM UTC-4, Matt wrote:
>>>
>>> We would find this valuable for the reason Jonas outlined. Health checks
>>> from AWS are sent without a host header, which causes the request to fail
>>> the host check. By whitelisting the health check path, it would simplify
>>> deployments to AWS and possibly others. Here's the workaround we use in
>>> production to support AWS health checks that may help give some more
>>> context: http://dpaste.com/2BS0C5M
>>>
>>> -Matt
>>>
>>> On Fri, Sep 14, 2018 at 10:44 AM, Tim Graham  wrote:
>>>
 What would be the value of that setting for your use case?

 On Friday, September 14, 2018 at 11:52:46 AM UTC-4, Jonas H wrote:
>
> Hi,
>
> I've started a discussion on
> https://code.djangoproject.com/ticket/29752 to add a new
> ALLOWED_HOSTS_IGNORABLE_URLS setting.
>
> The setting can become handy if you can't control the Host header sent
> to your application but still want to accept the request. An example of
> this is health checks made by AWS ECS/Fargate – google "django
> allowed_hosts aws" and find 16,000 results with tips how to work around 
> the
> problem.
>
> I'd like to discuss the addition on this list as per Tim's triage.
>
> Jonas
>
 --
 You received this message because you are subscribed to the Google
 Groups "Django developers (Contributions to Django itself)" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to django-develop...@googlegroups.com.
 To post to this group, send email to django-d...@googlegroups.com.
 Visit this group at https://groups.google.com/group/django-developers.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/django-developers/48278799-baea-4943-91b0-4d1f2318c3a5%40googlegroups.com
 
 .

 For more options, visit https://groups.google.com/d/optout.

>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-developers@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/58003490-00cb-4b01-856b-a7672e3e3c13%40googlegroups.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
>

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Matt Pegler 
AWS will send a request to a specific path and make sure it receives a
status 200 response. If the response status is not 200, it will consider
that instance unhealthy and will not route traffic to that instance. The
path can be anything that can be used as a signal that the application is
running properly.

-Matt

On Fri, Sep 14, 2018 at 11:29 AM, Tim Graham  wrote:

> Sorry, I still don't understand what "whitelisting the health check path" 
> looks like.
>
> Here's the snippet for anyone reading the thread after the pastebin expires.
>
> ALLOWED_HOSTS = ['ourdomain.com']EC2_PRIVATE_IP = Nonetry:  # AWS provided 
> magic service that returns metadata about the instance making the call  
> EC2_PRIVATE_IP = 
> requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout = 
> 0.01).textexcept requests.exceptions.RequestException:  passif 
> EC2_PRIVATE_IP:  ALLOWED_HOSTS.append(EC2_PRIVATE_IP)
>
>
>
> On Friday, September 14, 2018 at 2:03:11 PM UTC-4, Matt wrote:
>>
>> We would find this valuable for the reason Jonas outlined. Health checks
>> from AWS are sent without a host header, which causes the request to fail
>> the host check. By whitelisting the health check path, it would simplify
>> deployments to AWS and possibly others. Here's the workaround we use in
>> production to support AWS health checks that may help give some more
>> context: http://dpaste.com/2BS0C5M
>>
>> -Matt
>>
>> On Fri, Sep 14, 2018 at 10:44 AM, Tim Graham  wrote:
>>
>>> What would be the value of that setting for your use case?
>>>
>>> On Friday, September 14, 2018 at 11:52:46 AM UTC-4, Jonas H wrote:

 Hi,

 I've started a discussion on https://code.djangoproject.com
 /ticket/29752 to add a new ALLOWED_HOSTS_IGNORABLE_URLS setting.

 The setting can become handy if you can't control the Host header sent
 to your application but still want to accept the request. An example of
 this is health checks made by AWS ECS/Fargate – google "django
 allowed_hosts aws" and find 16,000 results with tips how to work around the
 problem.

 I'd like to discuss the addition on this list as per Tim's triage.

 Jonas

>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-develop...@googlegroups.com.
>>> To post to this group, send email to django-d...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/django-developers/48278799-baea-4943-91b0-4d1f2318c3a5%
>>> 40googlegroups.com
>>> 
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/58003490-00cb-4b01-856b-
> a7672e3e3c13%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CA%2BSd1WdX0Cp2nLmGyMxhvM86jWq4G4CzDtwbM0ezsGgS-FM1tA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Tim Graham 


Sorry, I still don't understand what "whitelisting the health check path" looks 
like.

Here's the snippet for anyone reading the thread after the pastebin expires.

ALLOWED_HOSTS = ['ourdomain.com']EC2_PRIVATE_IP = Nonetry:  # AWS provided 
magic service that returns metadata about the instance making the call  
EC2_PRIVATE_IP = 
requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout = 
0.01).textexcept requests.exceptions.RequestException:  passif EC2_PRIVATE_IP:  
ALLOWED_HOSTS.append(EC2_PRIVATE_IP)



On Friday, September 14, 2018 at 2:03:11 PM UTC-4, Matt wrote:
>
> We would find this valuable for the reason Jonas outlined. Health checks 
> from AWS are sent without a host header, which causes the request to fail 
> the host check. By whitelisting the health check path, it would simplify 
> deployments to AWS and possibly others. Here's the workaround we use in 
> production to support AWS health checks that may help give some more 
> context: http://dpaste.com/2BS0C5M
>
> -Matt
>
> On Fri, Sep 14, 2018 at 10:44 AM, Tim Graham  > wrote:
>
>> What would be the value of that setting for your use case?
>>
>> On Friday, September 14, 2018 at 11:52:46 AM UTC-4, Jonas H wrote:
>>>
>>> Hi,
>>>
>>> I've started a discussion on https://code.djangoproject.com/ticket/29752 
>>> to add a new ALLOWED_HOSTS_IGNORABLE_URLS setting.
>>>
>>> The setting can become handy if you can't control the Host header sent 
>>> to your application but still want to accept the request. An example of 
>>> this is health checks made by AWS ECS/Fargate – google "django 
>>> allowed_hosts aws" and find 16,000 results with tips how to work around the 
>>> problem.
>>>
>>> I'd like to discuss the addition on this list as per Tim's triage.
>>>
>>> Jonas
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/48278799-baea-4943-91b0-4d1f2318c3a5%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/58003490-00cb-4b01-856b-a7672e3e3c13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Matt Pegler 
We would find this valuable for the reason Jonas outlined. Health checks
from AWS are sent without a host header, which causes the request to fail
the host check. By whitelisting the health check path, it would simplify
deployments to AWS and possibly others. Here's the workaround we use in
production to support AWS health checks that may help give some more
context: http://dpaste.com/2BS0C5M

-Matt

On Fri, Sep 14, 2018 at 10:44 AM, Tim Graham  wrote:

> What would be the value of that setting for your use case?
>
> On Friday, September 14, 2018 at 11:52:46 AM UTC-4, Jonas H wrote:
>>
>> Hi,
>>
>> I've started a discussion on https://code.djangoproject.com/ticket/29752
>> to add a new ALLOWED_HOSTS_IGNORABLE_URLS setting.
>>
>> The setting can become handy if you can't control the Host header sent to
>> your application but still want to accept the request. An example of this
>> is health checks made by AWS ECS/Fargate – google "django allowed_hosts
>> aws" and find 16,000 results with tips how to work around the problem.
>>
>> I'd like to discuss the addition on this list as per Tim's triage.
>>
>> Jonas
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/48278799-baea-4943-91b0-
> 4d1f2318c3a5%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CA%2BSd1WcNRzR1WsN%2BeVW6V2Mr5N7W4kS4HEhWVpX%3DKa%3Dx9Y8%2Bvw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: #29752 Adding a ALLOWED_HOSTS_IGNORABLE_URLS setting

2018-09-14 Thread Tim Graham 
What would be the value of that setting for your use case?

On Friday, September 14, 2018 at 11:52:46 AM UTC-4, Jonas H wrote:
>
> Hi,
>
> I've started a discussion on https://code.djangoproject.com/ticket/29752 
> to add a new ALLOWED_HOSTS_IGNORABLE_URLS setting.
>
> The setting can become handy if you can't control the Host header sent to 
> your application but still want to accept the request. An example of this 
> is health checks made by AWS ECS/Fargate – google "django allowed_hosts 
> aws" and find 16,000 results with tips how to work around the problem.
>
> I'd like to discuss the addition on this list as per Tim's triage.
>
> Jonas
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/48278799-baea-4943-91b0-4d1f2318c3a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.