Added real IP and block IP functionality.

[auspicacious]

Related to issue #648

Based on research from @ZacharyCChang0828

This will enable us to block IP addresses or CIDR ranges by modifying the web.config file and redeploying.

I have manually applied these changes in dev, so I know that the config works, but I'm not sure the .ebextensions syntax is correct.

Risks:

• Listing these IP address publicly could theoretically aid an attacker, but I'm not sure how.
• Using the real_ip module will change our logs; the AWS load balancer IP address will no longer show up in them. Instead, the request IP address will be the real one.

Follow-up tasks:

• We need to review and document what steps need to be taken to deploy an .ebextensions change. I'm not sure an ordinary deploy will do it.
• We should make the same changes to ingest.

[matschaffer]

We could merge like this but I'm fairly certain nginx needs a reload signal to pick up the changes. So a normal deploy probably wouldn't do the trick.

We could add a command step after this (similar to match_nginx_timeout_to_elb_timeout) to hup nginx, or look to see if there's some way to have it notice the file changes.

[matschaffer]

If we ever wanted to hide the IPs or share with ingest we could put an s3 object somewhere and build the list from that.

[matschaffer]

Would be fine merging this. As you noted, it won't be perfect w/o some plan on reloading or config sharing. But we can iterate.

[auspicacious]

@matschaffer web.config already contains service nginx restart in match_nginx_timeout_to_elb_timeout, will that execute again?

[matschaffer]

Yep

On Tue, Jul 14, 2020 at 16:55 Andrew Todd ***@***.***> wrote: @matschaffer <https://github.com/matschaffer> web.config already contains service nginx restart, will that execute again? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#714 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAFMVBIG2P7AXFIYW2YMLR3QFPXANCNFSM4OZHWTKA> .

--

…

-Mat matschaffer.com

[sasharevzin]

I don’t understand much in it, so I’ll just go ahead and approve, hehe

[auspicacious]

I'm going to make another build with my own IP address in the block list and deploy that to make sure it works, then will merge.

[auspicacious]

Bit of confusion, I was pushing to the wrong config directory, but after that's fixed I've confirmed that a redeploy to the same environment should update the blocklist.