From 37cb430880336d9496f8c29b98715e0773442739 Mon Sep 17 00:00:00 2001 From: Brendan Shephard Date: Mon, 25 Mar 2024 19:47:39 +1000 Subject: [PATCH] Restrict ALLOWED_HOSTS This change removes the ALLOWED_HOSTS=* and restricts it instead to the Route Host and also the IP address of the pod. To determine the IP address of the pod, this PR adds a function that will retrieve the pods primary interface IP address and insert it into the ALLOED_HOSTS list. This will facilitate liveness checks against each of the pods. Signed-off-by: Brendan Shephard --- templates/horizon/config/local_settings.py | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/templates/horizon/config/local_settings.py b/templates/horizon/config/local_settings.py index 137a158e..98f85405 100644 --- a/templates/horizon/config/local_settings.py +++ b/templates/horizon/config/local_settings.py @@ -52,10 +52,23 @@ # with the list of host/domain names that the application can serve. # For more information see: # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts -#ALLOWED_HOSTS = ["{{ .horizonEndpointUrl }}", ] -# liveness checks will fail if we restrict this to just the route. We are setting -# this to enable liveness checks. -ALLOWED_HOSTS = ["*", ] + +# get_pod_ip retrieves the pod's primary interface IP address. This is necessary +# due to the dynamic IP addressing of pods. The HealthCheck needs to be able to +# check the specific pod. We can't simply check via the route, since such a check +# could land on any of the replicas. Instead, we need to explicity check the pod +# we're currently running on. Therefore, we need to execute this function to +# retrieve the IP address, which we will then in turn add to the ALLOWED_HOSTS list. +def get_pod_ip(): + import socket + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + try: + s.connect(("{{ .horizonEndpointUrl }}", 80)) + return s.getsockname()[0] + finally: + s.close() + +ALLOWED_HOSTS = [get_pod_ip(), "{{ .horizonEndpointUrl }}"] # Set SSL proxy settings: # Pass this header from the proxy after terminating the SSL,