0

I have a cookiecutter-django based setup with docker-compose, with a mailing service from Mailjet with Anymail on a VPS on Vultr for staging. I use traefik as a reverse-proxy.

I occasionally get emails from the app for 404 errors when I or my partner tries an invalid link.

But since 3 days ago, I have been gettings hundreds of emails a day for 404 errors with url paths that can be considered usual defaults for many different frameworks such as /login, /Home/Login, /static/style.css, etc.

That in itself would have been easy to fix, if Traefik was the container receiving the requests. No, the emails all say I'm getting the request from 172.19.0.08, whereas my project (nothing else is running in this VPS to my understanding) uses 172.20.0.X as the network.

I even set up a RateLimit middleware in traefik but it was pointless since the requests never go through traefik.

I am not very good at networks so I do not know how to identify what is happening here. Django logs don't show the requests either to my understanding although I don't have a very detailed django logging config set up (used default from cookiecutter with DEBUG as the level).

What could be the possible reason for this?

1 Answers1

0

You are correct that your issue is related to the networking setup. Your application is receiving web traffic that is bypassing your reverse proxy and hitting your Django app directly.

The pattern of requests suggests that they are done by an automated scanner/bot used to look for vulnerabilities in web applications. It's a security issue.

Check if the port Django is running on is exposed directly to the public. If so, that means anyone could access your app bypassing Traefik. Ensure only the necessary ports (like the ones used by Traefik) are exposed to the public. For instance, if your Docker Compose file has a line like ports: - "8000:8000" for your Django app, consider removing it and letting only Traefik expose necessary ports.

Check your VPS's firewall settings. Make sure that the only ports open to the outside world are those necessary for your application and Traefik to function properly.

Keilo
  • 963
  • 1
  • 7
  • 13
  • It seems, from the emails, that the requests are hitting at 80 and 443 ports but Traefik logs do not show anything that match the errors. I checked the ports for other containers but none of them exposed any ports, EXCEPT, a coturn container that I had on host mode in the same compose file. Could that have been a cause? It should not have been able to access the project network though but I can imagine I screwed up security in my lack of understanding. But the coturn container exposes 3 ports which does not include 443, which still gets error emails. – Mikhail Skorikov Jul 24 '23 at 04:03
  • What I don't understand is why the IP would be 172.19.0.8 (which I thought was an internal docker network IP?) if the request is from an exernal source. I tried setting up IP in django logger, but I'm not good at that either so I'm still figuring that out. The VPS firewalls are not implemented as of yet but that's my next step. – Mikhail Skorikov Jul 24 '23 at 04:05