restrict access to Django site from all IP’s on Webfaction

Django

restrict access to Django site from all IP’s on Webfaction

For this one project I wanted to deny all access to the site except for a certain IP address. I knew it could be done by using the mod_authz_host Apache Module (more info here), but I couldn’t get it to work on a Webfaction shared hosting account.

After exchanging some mails with the Webfaction support team (which is absolutely awesome by the way: very helpfull and best response time i’ve seen!) I got it working! Thought I’d share the problem and the solution and might help save someone some frustration.

The problem:

I could not access the site when I tried the following in my httpd.conf:
(xxx.xxx.xxx.xxx being the IP I wanted to grant access to)

…
<Location "/">
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
…

I found the following line in my error_log:
[Fri Oct 03 06:10:47 2008] [error] [client 127.0.0.1] client denied by server configuration


This made something clear to me: Webfaction uses the apache2 webserver on a custom port, and the main webserver forwards the request through to the Django site. This works great but the problem here is that all the requests appear to be from 127.0.0.1 so I can’t exclude any ip’s in the httpd.conf file.

The solution

The solution is to use the Apache setenvif_module module to check for which ip the request was forwarded. Here’s part of an example httpd.conf file:
. . .
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule setenvif_module modules/mod_setenvif.so
…
<Location "/">

# add a line like the following for each IP that you want to allow
SetEnvIf X-Forwarded-For "^xxx\.xxx\.xxx\.xxx$" allowed_ip

Order Deny,Allow
Deny from all
Allow from env=allowed_ip
…

If you got any questions about this, please use the comments below. If you’re looking for a good Django host for a reasonable price check out Webfaction !

© 2008 Django Days.