press icon indicating copy to clipboard operation
press copied to clipboard
verified publisher icon frappe

IP restrictions for HTTP traffic on servers, sites and benches

Open adityahase opened this issue 1 year ago • 0 comments

With https://github.com/frappe/agent/commit/a499bf8a4acfa8798bc35c03f83008d790d2f762 we can whitelist specific IPs and drop all other HTTP traffic (on the entire server).

This is only implemented on Agent. There is no way to configure it on Press.

  • [ ] Support this configuration for benches and sites
  • [ ] Dashboard UI (Validate IP address / CIDR)

This will be trivial for benches because allow and deny directives work for http, server, location, limit_except blocks.

Each container is implemented as a server block. So we can store the allow list in ReleaseGroup.bench_config and Bench.bench_config. Sites are a little different since we'll need to create separate server blocks for these sites.

References:

  • https://github.com/frappe/agent/blob/e4c6330dae561b9dc52e1a27b83f8d5b3bd8164a/agent/bench.py#L486-L496
  • https://github.com/frappe/agent/blob/e4c6330dae561b9dc52e1a27b83f8d5b3bd8164a/agent/templates/bench/nginx.conf.jinja2#L23

Note: Always whitelist press and monitor server public IPs

adityahase avatar Jul 15 '24 10:07 adityahase