Building a Secure Proxy Service for IP Restriction

Blake Bradford Avatar
Blake Bradford

·

Have you ever wanted to restrict access to your web application based on IP addresses? If so, the directory-proxy project is the perfect solution for you. In this article, we will explore how to install, configure, and use directory-proxy to create a secure proxy service that rejects non-whitelisted IP addresses.

Installation

To get started with directory-proxy, you will need to install it using pip:

pip install directory-proxy

Configuration

Once installed, you can configure the proxy by setting specific environment variables. These variables include:

  • IP_RESTRICTOR_ALLOWED_ADMIN_IPS: Allow IP addresses. Command delimited.
  • IP_RESTRICTOR_ALLOWED_ADMIN_IP_RANGES: Allow IP ranges. Command delimited.
  • IP_RESTRICTOR_SKIP_CHECK_ENABLED: Skip IP check. Check cookie instead.
  • IP_RESTRICTOR_SKIP_CHECK_SECRET: Shared secret for checking cookie.
  • UPSTREAM_DOMAIN: Domain of the upstream service.
  • UPSTREAM_SIGNATURE_SECRET: Hawk shared secret for upstream requests.
  • UPSTREAM_SIGNATURE_SENDER_ID: Hawk sender ID for upstream requests.

Using these environment variables, you can customize the behavior of the proxy to meet your requirements.

Usage

The directory-proxy can be run as a standalone service or as a WSGI worker alongside the upstream service.

WSGI Worker

If you prefer to run the proxy on the same box as your upstream service, you can install the proxy on the same box and run the WSGI worker. Here’s an example command to run the WSGI worker:

DJANGO_SETTINGS_MODULE=directory_proxy.conf.settings \
gunicorn directory_proxy.conf.wsgi --bind 0.0.0.0:$UPSTREAM_PORT

Standalone Service

If running the WSGI worker on the same box as the upstream service is not possible, you can run the proxy as a standalone service. This allows you to deploy the proxy separately from the upstream service.

Debugging

To aid in debugging, directory-proxy provides a set of debug tools. These tools include:

  • Setting up a debug environment
  • Running a debug web server
  • Running debug tests

By leveraging these debugging techniques, you can ensure that your proxy service is working correctly and handling requests as expected.

Local Installation and Debugging

If you prefer to run the proxy locally and debug any issues, you can follow these steps:

$ git clone https://github.com/uktrade/directory-proxy
$ cd directory-proxy

To setup the debug environment:

$ make debug

To run the debug web server:

$ make debug_webserver

To run the debug tests:

$ make debug_test

These commands will clone the directory-proxy repository and set up a local development environment for debugging purposes.

Conclusion

In conclusion, the directory-proxy project provides a powerful solution for creating a secure proxy service that restricts access based on IP addresses. By implementing Hawk signatures and configuring the proxy using environment variables, you can ensure the integrity of requests and protect your application from unauthorized access. Whether you choose to run the proxy as a standalone service or as a WSGI worker alongside an upstream service, directory-proxy offers the flexibility and security measures needed to safeguard your application.

Do you have any questions about building a secure proxy service using directory-proxy? Feel free to ask in the comments section below.

References

Author: Blake Bradford

Leave a Reply

Your email address will not be published. Required fields are marked *