From 19afbc737c213e2ff8f9a7a0476f895a2654726a Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Wed, 7 Feb 2024 14:55:09 +0100 Subject: [PATCH] added healthcheck middleware for ALBs --- dojo/middleware.py | 19 +++++++++++++++++++ dojo/settings/settings.dist.py | 1 + helm/defectdojo/values.yaml | 2 ++ nginx/nginx.conf | 8 +++++++- nginx/nginx_TLS.conf | 7 +++++++ 5 files changed, 36 insertions(+), 1 deletion(-) diff --git a/dojo/middleware.py b/dojo/middleware.py index 733c66f4cd4..8ca34a3d7cb 100644 --- a/dojo/middleware.py +++ b/dojo/middleware.py @@ -6,6 +6,7 @@ from threading import local from django.db import models from django.urls import reverse +from django.http import HttpResponse logger = logging.getLogger(__name__) @@ -164,3 +165,21 @@ def __init__(self, get_response): def __call__(self, request): request.META.update(settings.ADDITIONAL_HEADERS) return self.get_response(request) + + +class HealthCheckMiddleware: + """ + Middleware that will allow for a healthcheck to return UP without the caller being in the + DJANGO ALLOWED_HOSTS list. Needed for AWS ALB healthchecks and improves general k8 healthchecks + """ + + def __init__(self, get_response): + + self.get_response = get_response + + def __call__(self, request): + if request.META['PATH_INFO'] == '/health': + return HttpResponse('UP!') + else: + response = self.get_response(request) + return response diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ede8ae60f08..b84eb40baec 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -920,6 +920,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param # MIDDLEWARE # ------------------------------------------------------------------------------ DJANGO_MIDDLEWARE_CLASSES = [ + 'dojo.middleware.HealthCheckMiddleware', 'django.middleware.common.CommonMiddleware', 'dojo.middleware.APITrailingSlashMiddleware', 'dojo.middleware.DojoSytemSettingsMiddleware', diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index c9b098b7706..4ee27a4fd92 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -201,6 +201,8 @@ django: # Depending on the size and complexity of your scans, you might want to increase the default ingress timeouts if you see repeated 504 Gateway Timeouts # nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" + # specific for AWS deployments Defectdojo has the /health endpoint for ALB healthchecks + # alb.ingress.kubernetes.io/healthcheck-path: /health nginx: tls: enabled: false diff --git a/nginx/nginx.conf b/nginx/nginx.conf index aaa62e7e431..f0368ed55e4 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -72,7 +72,13 @@ http { include /etc/nginx/wsgi_params; access_log off; } - + # Used by AWS ALB health checks + location = /health { + limit_except GET { deny all; } + include /run/defectdojo/uwsgi_pass; + include /etc/nginx/wsgi_params; + access_log off; + } error_page 500 502 503 504 /50x.html; } diff --git a/nginx/nginx_TLS.conf b/nginx/nginx_TLS.conf index 59edae6e9c0..cac7a890404 100644 --- a/nginx/nginx_TLS.conf +++ b/nginx/nginx_TLS.conf @@ -134,6 +134,13 @@ http { include /etc/nginx/wsgi_params; access_log off; } + # Used by AWS ALB health checks + location = /health { + limit_except GET { deny all; } + include /run/defectdojo/uwsgi_pass; + include /etc/nginx/wsgi_params; + access_log off; + } error_page 500 502 503 504 /50x.html; } }