Skip to main content

Hide your Django site behind basic authentication mechanism with IP whitelisting support.

Project description

GitHub actions CI status https://img.shields.io/pypi/v/django-basic-auth-ip-whitelist.svg https://img.shields.io/pypi/dm/django-basic-auth-ip-whitelist.svg

This simple package ships middleware that lets you to set basic authentication and IP whitelisting via Django settings.

Use case

This package has been created for staging and demo sites that need to be completely hidden from the Internet behind a password or accessible only to certain IP networks.

Do not depend on this package to protect highly valuable information. This package is at a good way to disable staging sites being discovered by search engines and Internet users trying to access staging sites. It is advised that any sensitive information is protected using Django authentication system.

Requirements

  • Django 1.8, 1.9, 1.10, 1.11, 2.0, 2.1, 2.2 or 3.0.

  • Python 3.4, 3.5, 3.6, 3.7 or 3.8.

Installation

The package is on PyPI so you can just install it with pip.

pip install django-basic-auth-ip-whitelist

Configuration

In your Django settings you can configure the following settings:

BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD

Credentials that you want to use with your basic authentication.

BASIC_AUTH_WHITELISTED_IP_NETWORKS

Set a list of network ranges (strings) compatible with Python’s ipaddress.ip_network that you want to be able to access the website without authentication from. It must be either a string with networks separated by comma or Python iterable.

Warning: See [Getting IP Address](#getting-ip-address) below for caveats around IP address detection.

BASIC_AUTH_REALM

String specifying the realm of the default response.

Example settings

MIDDLEWARE += [
    'baipw.middleware.BasicAuthIPWhitelistMiddleware'
]
BASIC_AUTH_LOGIN = 'somelogin'
BASIC_AUTH_PASSWORD = 'greatpassword'
BASIC_AUTH_WHITELISTED_IP_NETWORKS = [
    '192.168.0.0/28',
    '2001:db00::0/24',
]

Advanced customisation

Getting IP Address

By default, BasicAuthIPWhitelistMiddleware uses request.META["REMOTE_ADDR"] as the client’s IP, which corresponds to the IP address connecting to Django. If you have a reverse proxy (eg nginx in front), this will result in the IP address of nginx, not the client.

Correctly determining the IP address can vary between deployments. Guessing incorrectly can result in security issues. Instead, this library requires you configure this yourselves.

In most deployments, the X-Forwarded-For header can be used to correctly determine the client’s IP. We recommend django-xff to help parse this header correctly. Because django-xff overrides REMOTE_ADDR by default, it is natively supported by BasicAuthIPWhitelistMiddleware.

django-ipware is another popular library, however may take more customization to implement.

To fully customize IP address detection, you can set BASIC_AUTH_GET_CLIENT_IP_FUNCTION to a function which takes a request and returns a valid IP address:

BASIC_AUTH_GET_CLIENT_IP_FUNCTION = 'utils.ip.get_client_ip'

BASIC_AUTH_WHITELISTED_HTTP_HOSTS

Set a list of hosts that your website will be open to without basic authentication. This is useful if your website is hosted under multiple domains and you want only one of them to be publicly visible, e.g. by search engines.

This is by no means a security feature. Please do not use to secure your site.

BASIC_AUTH_WHITELISTED_HTTP_HOSTS = [
    'your-public-domain.com',
]

BASIC_AUTH_WHITELISTED_PATHS

Set a list of paths that your website will serve without basic authentication. This can be used to support API integrations for example with third-party services which don’t support basic authentication.

Paths listed in the setting BASIC_AUTH_WHITELISTED_PATHS are treated as roots, and any subpath will be whitelisted too. For example:

BASIC_AUTH_WHITELISTED_PATHS = [
    '/api',
]

This will open up the path https://mydomain.com/api/, as well as anything below it, e.g. https://mydomain.com/api/document/1/.

BASIC_AUTH_RESPONSE_TEMPLATE

If you want to display a different template on the 401 page, please use this setting to point at the template.

BASIC_AUTH_RESPONSE_TEMPLATE = '401.html'

BASIC_AUTH_RESPONSE_CLASS

If you want to specify custom response class, you can do so with this setting. Provide the path as a string.

BASIC_AUTH_RESPONSE_CLASS = 'yourmodule.response.CustomUnathorisedResponse'

BASIC_AUTH_DISABLE_CONSUMING_AUTHORIZATION_HEADER

Set this setting to True if you want the Authorization HTTP header to not be deleted from the request object after it has been used by this package’s middleware.

BASIC_AUTH_DISABLE_CONSUMING_AUTHORIZATION_HEADER = True

Skip middleware

You can skip the middleware by setting _skip_basic_auth_ip_whitelist_middleware_check attribute on the request to True.

setattr(request, '_skip_basic_auth_ip_whitelist_middleware_check', True)

This may be handy if you have other middleware that you want to have co-existing different middleware that restrict access to the website.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_basic_auth_ip_whitelist-0.6.0.tar.gz (8.6 kB view details)

Uploaded Source

Built Distribution

File details

Details for the file django_basic_auth_ip_whitelist-0.6.0.tar.gz.

File metadata

File hashes

Hashes for django_basic_auth_ip_whitelist-0.6.0.tar.gz
Algorithm Hash digest
SHA256 51fbef4d483cfccb15d0c38605fd149fd307314ad8a9308580a6b693b94b3329
MD5 82e7a9b278bd9edca8a95f7d3246fd5d
BLAKE2b-256 e000ca5e42ef76363ae9925e0e14a6e0a45885ff2232bb012f8c757584442061

See more details on using hashes here.

File details

Details for the file django_basic_auth_ip_whitelist-0.6.0-py3-none-any.whl.

File metadata

File hashes

Hashes for django_basic_auth_ip_whitelist-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f866c1822861ab6612efb9adec03b12279a82314783aa721c843acfbea04b0b7
MD5 9d572ad625e001bfce085c3dacf72f8e
BLAKE2b-256 15961905aa2ae964a2df058215f44eef6850142ecd41b09b26bff74d4faeb1b5

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page