I have several sites configured in Nginx and I was wondering if I can include a default configuration for all of them in a single server Block and then include that in the sites server block.
For example if I want to set security directives which is common to all sites, then it would nice If I can include it in one server Block rather than having to modify every sites server block.
Let me know the best possible way to tackle this
Related
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
What is the best practice or tutorial to set up a droplet to showcase my React/Express and Django fullstack projects on a single server?
I've found NGINX server blocks, but not sure if I'm going in the right direction.
I want users to go to a React site that will have links to several other React or Django projects running on the same server.
Finally figured it all out.
You can use all of the regular server block documentation if you have another domain name or subdomain name you want to point to the server. That documentation can be found at Nginx Documentation on Server Blocks and Digital Ocean post on server blocks
If you want to make multiple server blocks within subdirectories of the root server you can use location as seen here in the Nginx documentation: ServerFault question/answer
I have a question that is probably more general than django-related development. The background is quite simple:
I am working on a project whose pages are mostly associated with a web application (this is what I am using Django for). In addition to the app-related pages, however, there are quite a few auxiliary pages (like a landing page, a faq page, a contact page, etc.) that have basically nothing to do with the web app.
What is the standard strategy for deploying such a project? It seems flawed to route requests to these static pages through Django. What seems to make sense is running two servers: one responsible for running the Django app and a a separate server that is responsible for serving the static pages (including, perhaps, the static content used by the app portion of the web site) .
What are some guiding principles that should be employed when making these decisions?
It's not uncommon to run Django side by side with a static site or another CMS.
You would need a front end server to route the request to either the static content or a CMS.
There are two common strategies:
Use URL prefix to determine where to route (e.g. example.com/static/ to static files and example.com/ to Django). You would need a front end server to route the request to either the static content or a web app/CMS written in another framework/language (this is configured with Alias directive in Apache).
Put the application server and static file server on separate domain/subdomain (e.g. static.example.com to static and app.example.com to Django). You can do this by configuring a front end server to serve on a single machine (this is configured with VirtualHost on Apache) or as separate machine. In either case, you'd need to configure the DNS to point to your subdomains to the right machine(s).
The former is simpler to setup, but the latter allows you to scale better.
Servers commonly used for front-ending an application server includes Apache, Nginx, or uWSGI, but pretty much any production-quality web server can do it.
In fact Django's deployment documentation (e.g. Apache) would always instruct you to have your static files served by the front end server even in a Django only installations, as Django weren't designed for efficiently serving static contents unlike the front end web servers.
The django.contrib.staticfiles app is there to make it possible for Django to refer to a static file hosted on a different server and easily switch between serving static contents with Django's built-in server during development but with the front end server on production.
TLDR:
Would a "real server" (Apache? Flask? Django?) be able to unify various services behind readable subdirectories (abc.work.com/svn, abc.work.com/hg) instead of using port numbers (abc.work.com:8000, abs.work.com:8001)?
Long Version:
In the last year I've learned how to serve files with Mongoose, run a minimal python webserver, host version control repositories with Subversion and Mercurial, and host a Trac issue tracker/project management framework.
In each case I've been using the easy built-in webserver provided by each tool to host it from my Windows 7 laptop at work (I'm an engineer who codes, not actually paid to be a "software guy"). In order to avoid clashing I've used different port numbers in the 8000 range for each server to listen on, and sent my coworkers links like http://machinename.domain.com:8042 to access these magical things I've created.
The first obvious problem is that I'm running a lot of these things out of a command prompt and just letting it sit open on my desktop. I also know how to call cmd.exe from VBScript in order to hide the command prompt if that's all I wanted. Many of the built-in webservers even have options to run as a service, which can get harry with permissions, but is closer to the "right" way to host a server of any kind.
The bigger problem is that I'm sending people links to my machine with different port numbers. I'm ok with them having to use my machine name - I assume I'd need the network admin folks to add a DNS entry to call it TeamAwesome.company.com instead of machinename.company.com:8000?
The bigger question is, if I did something fancy like an Apache, Django, or Flask webserver, could I set it up like machinename.company.com/trac for the trac server and machinename.company.com/hg/project1 for the HG repository for project1? I'm looking at Apache, Django, and Flask because I've been diving into Python for 2 years now and those appear the most applicable/approachable for my needs.
I understand that ideally this stuff should be hosted on a separate linux-y server machine, but I'll need to prove the usefulness of the tools I'm developing before I request server resources from my boss (who hired me to do engineering, not programming, or web development, or systems administration, etc.).
I see this looks related. Are http proxies, virtual hosts, nginx, and WebSockets things to look at?
Looking at Apache VirtualHost examples looks promising though I can't decipher if one of those examples actually does what I'm talking about. Thanks for any suggestions as I go further down the rabbit hole with this stuff!
Apache virtual hosts can be differentiated by listening ip and/or port number only.
The mod_proxy module can do what you want if you want/have those services to be running separately as well:
ProxyRequests Off
<Proxy *>
Allow from all
</Proxy>
ProxyPass /folder_a http://backend_a:1234/ retry=5
ProxyPass /folder_b http://backend_b:8888/ retry=5
# etc
However if you just want to point different urls to point to unrelated folders on your server then check the Location and Alias directives
No need for proxy settings. You can use a single virtual server, but run each application under a certain subdirectory: for example, with Django or another wsgi app, you would simply set WSGIScriptAlias to the relevant dir.
A big clarification, though: Django is not in any way a server. In fact, you need Apache or an equivalent in order to serve Django properly.
I started develop two sites separately, but now I need to merge them (so http://site1.com/site2) points to site2 (which has a separate settings.py).
I could probably refactor the code and make site2 an app of site1, but I suspect there is an easy way. Also, site2 uses a different database, and I don't intend to mix up both databases...
If I want to use subdomain (like site2.site1.com), will it make it easier?
Any suggestion? Thanks.
The easiest way to do this is to leave both Django applications separate but present them as one site using a reverse proxy such as nginx. The applications will live on separate servers or at least be served on the same server on separate ports, and nginx will proxy requests to one application or the other based on what path is requested.