I am developing a Django app that works with multitenancy through the django-tenant-schemas library. We bind subdomains to our tenants. I need to test a data migration locally before I run it on production but the problem I'm running into is that I cannot access all the tenants. What I need to do is use the application, click buttons and see if everything still works, posing as multiple of our clients.
We currently have it set up so that the public schema is bound to 127.0.0.1 on my local machine and our own tenant to localhost. On our staging / production it would be client.ourdomain.com, but as I understand -and tested- it you cannot work with subdomains on localhost, so I'm lost on how to get access to the other tenant schemas.
I have tried to edit my /etc/hosts file to bind the following 2 but those don't work:
localhost client.localhost
127.0.0.1 client.localhost
This seems like it would be a problem many people run into but I cannot seem to find good info on how to do this both in the official docs or elsewhere, although the second link looks to be what I need but they suggest what I already tried.
Does anyone know how I can achieve this?
You could bind client1.example.test, client2.example.test etc. to your 127.0.0.1 ip.
Related
I have followed this guide in setting up my localtunnel:
https://www.hongkiat.com/blog/accessible-local-web-server/
however, when I run the following command lt –port 80 nothing is showing. I started looking for this solution since Facebook seems to have stopped localhost access to FB.iu() method for sharing content on their site.
I have tried running as admin while disabling firewall and McAfees Antivirus Scan. I have used ngrok before now too but Facebook rejects it for no clear reason.
Below is an image of the steps taken:
Managed to get my way around this localhost tunneling issue using ngrok.
I noticed I'm expected to add additional domain names under App Domains in Facebook APP settings. So I added ngrok.io as an additional APP Domain and WHALAH! everything started working for the FB.ui() method.
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I have two separate rails apps. I'd like to connect them by simply linking them in the header. One is, for example, http://example.com and I'd like the other to be, for example http://different.example.com.
I added the relevant domain to the first heroku app and it's working. I created a subdomain with my domain host, setting the host CNAME to the previously referenced "different." I then attempted to add the subdomain to the heroku app by running the command:
$ heroku domains:add different.example.com
Despite that, it's not working. Any thoughts on what I've done wrong? I followed the instructions from my domain host and on heroku's documentation.
If you made a recent change, it's possible that your connection to the Internet or ISP might be serving you a cached, old version of where you want to go.
Try accessing the site from another entry point such as through a third party like https://crossbrowsertesting.com and then you can rule out this possibility.
I'm new to mezzanine and Django. I have set up a site, everything is working but I can only launch the server on "development". I would like to access de site on the port 80 on the internet instead of internally, as I have no way other than redirecting the port via SSH to access it. I would like to know how to do that.
And another question, is Nginx included with Mezzanine automatically ? Cause I have a tuned up Nginx server there and I'm not sure what I need to do, if run it with my existing Nginx server or with the one included with Django if that is how it works .... thank you for bring some light on this.
NGINX is not included with Mezzanine, it's an entirely separate piece of software, similar to Apache.
Mezzanine includes a fabric script which can automatically set up a production server if you'd like to use it, and will install NGINX on the server for you, among many other things.
Given your question, I can't recommend enough that you read and understand all the related documentation on this topic. Start with the Mezzanine link below, it references many other documentation sites - Django, Fabric, NGINX, plus more.
Enjoy the adventure: http://mezzanine.jupo.org/docs/deployment.html
I currently have a django project that I am working on. The project is sitting on my remote webserver, and I start it by running manage.py runserver 0.0.0.0:8000. Howver, if I try to access the site via domainname.com:8000, I can't see the site.
How can I view a django project remotely like this? Do I need to do setup using apache? Punch a hole in the firewall? Is there an easy way?
This is strictly for development purposes.
You need to bind it to an IP, not 0.0.0.0.
Also, you may want to check that firewall rules are not stopping you from accessing port 8000 (I did this this morning!)
You can use ssh tunnels. It's easy to set up in Windows with Putty (look at this example for manageing postgresql) or google how to use tunnels with ssh in Linux. I think this is amazing thing, since I first time get to my databse on remote server :)