build: whitelist calls to ODK Central from backend API (avoid ModSec)

hotosm · Mar 4, 2025 · 65c6e13 · 65c6e13
1 parent bf77377
commit 65c6e13
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/compose.yaml b/compose.yaml
@@ -87,6 +87,8 @@ x-proxy-env: &proxy-env # General
   odkcentral_AUTO_REDIRECT_HTTP_TO_HTTPS: no
   odkcentral_CUSTOM_SSL_CERT_DATA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2IyUnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3dGVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKeWlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYUnRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQN0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakVBMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTjNtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   odkcentral_CUSTOM_SSL_KEY_DATA: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRCc21pQjBmUU5hR1VobEdpWnMKNks1YVo1K1hUOVM1cFdlWkhZc05SVXRlK2FRZ1hIK0pTSmpwRnFqRnNLN21abldoWkFOaUFBU2tYNHpRRUxHQQplTXdscXhneThDZUJCdytFdVo1UDFjSVp1RFg5TzV1N0Ewby8wRHZWL2dZT3Rzb2k1bnJEbFN3eXhoU0lucjc0CmEvbnl6SEJkRCtOT3dGZnZneG1mWnI4MVhLZFZtTmtQZW1JakZKODB1OVpiUlBQcVZwVDM0N1E9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  # Avoid running ModSec rules on calls to ODK Central from API
+  odkcentral_WHITELIST_IP: 10.20.30.51
 
 services:
   proxy:
@@ -162,7 +164,8 @@ services:
       - "7052-7055:8000"
     #   - "5678-5679:5678" # Debugger port
     networks:
-      - fmtm-net
+      fmtm-net:
+        ipv4_address: 10.20.30.51
     extra_hosts:
       odkcentral: 10.20.30.50
     restart: "unless-stopped"

diff --git a/deploy/compose.development.yaml b/deploy/compose.development.yaml
@@ -91,6 +91,8 @@ x-proxy-env: &proxy-env # General
   # buffer requests, but not responses, so streaming out works
   odk.dev.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
   odk.dev.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
+  # Avoid running ModSec rules on calls to ODK Central from API
+  odk.dev.fmtm.hotosm.org_WHITELIST_IP: 10.20.30.51
 
 services:
   proxy:
@@ -146,7 +148,8 @@ services:
     env_file:
       - .env
     networks:
-      - fmtm-net
+      fmtm-net:
+        ipv4_address: 10.20.30.51
     restart: "unless-stopped"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8000/__lbheartbeat__"]

diff --git a/deploy/compose.staging.yaml b/deploy/compose.staging.yaml
@@ -91,6 +91,8 @@ x-proxy-env: &proxy-env # General
   # buffer requests, but not responses, so streaming out works
   odk.stage.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
   odk.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
+  # Avoid running ModSec rules on calls to ODK Central from API
+  odk.stage.fmtm.hotosm.org_WHITELIST_IP: 10.20.30.51
 
 services:
   proxy: