IP blocking in uwsgi and IPv6

kierenp

I'm in the process of migrating a Django site from Webfaction. All's going fine but I have some questions related to uwsgi (as I'm coming from an Apache/mod_wsgi setup) which I'm hoping someone might be able to help with please?

I'd like to update my uwsgi.ini to block access to the application based on IP etc. The uwsgi.log for the app shows the remote address as 127.0.0.1 (as I'm assuming there's a proxy) for all requests. Let's say I want to block 192.168.1.23 (I realise it's a private IP but I'm just using it as an example so I don't quote someone's genuine IP in this question) then the below won't block access:

route-remote-addr = ^192\.168\.1\.23$ break:403 Forbidden

Through a process of reading the docs here: https://uwsgi-docs.readthedocs.io/en/latest/InternalRouting.html and trial and error I've found that configuring the logging in uwsgi to use log-x-forwarded-for passes through the genuine IP address to the uwsgi.log and also allows to above line to block the IP. So adding this to uwsgi.ini this works and would block access from that IP (if it were genuine):

log-x-forwarded-for = true
route-remote-addr = ^192\.168\.1\.23$ break:403 Forbidden

Is this the correct way of doing this? It seems a bit odd to change the logging format to make this work but maybe it's the correct thing to do?

Also, the IP addresses are given as a regex and I can make the regex more permissive to block a range but does anyone know if you can use CIDR notation with route-remote-addr and, if so, how?

The final questions I have are about IPv6. Can I also block an IPv6 address using route-remote-addr as all the examples seem to be for a regex match of an IPv4 address?

Also I noticed that AAAA records are not created as part of the Opalstack DNS records so should I be adding this record myself?

Many thanks in advance

Kieren

sean

kierenp Also I noticed that AAAA records are not created as part of the Opalstack DNS records so should I be adding this record myself?

We're not up and running on IPv6 just yet, so please do not create AAAA records pointing to your Opalstack server. We'll generate them automatically when we're ready.

I'll look into your uwsgi questions and reply later.

kierenp

sean Awesome, many thanks Sean. No rush on the uwsgi stuff and I really appreciate the help.

sean

kierenp So sorry for not following up as promised 🙁

Changing log-x-forwarded-for seems like a roundabout way to do make remote-addr work, but I think I like that approach. It has the intended result plus the benefit of putting your visitor IPs in your backend log.

Here's another way to block IPv4 in uwsgi if your current approach isn't working out:

route-if = contains:${HTTP_X_FORWARDED_FOR};111.222.333.444 break:403 Forbidden

Either approach should work for IPv6 also (once we support it) since it's just matching text in a header. You can do the same for any header (user agents, etc).

Not sure how to go about using CIDR notation short of writing a custom uwsgi plugin.

kierenp

Just wanted to provide an update on this. I thought I'd check out the two mailing lists mentioned in the uwsgi docs (https://uwsgi-docs.readthedocs.io/en/latest/index.html#contact) but both have been down for the last two weeks (I assume they've been down for some time prior especially in the case of gmane). So I asked the questions on the uwsgi IRC channel but no-one responded.

So at this stage I'm assuming CIDR isn't supported (nor IPv6 regex blocking) and I'll just use IPv4 regexes instead.

Just updating in case anyone else has a similar query - if anyone else has more info that would be great but I'm not planning to look into this more for the foreseeable future.

kierenp

Hi @sean Many thanks for the reply, no need to apologise at all, I realise how busy things have been recently and my query wasn't important. Thanks also for the other suggestion, that's really helpful and much appreciated.