A sort of software firewall for your django application which provides advances capabilities for blocking or logging requests at runtime. Only for use in wagtail projects - might support django-only in the future.
- IP
- USER_AGENT
- PATH
- QUERY_STRING
- REFERER
- COUNTRY
- METHOD
- HEADER
- Absolute (== in most cases. Differs for: IP (Checks subnet if cidr provided), COUNTRY (Checks country code or name as returned by GeoIP2))
- Glob (fnmatch)
- Regex (re)
- In (IP based on cidr, splits most
filter_value's' by comma and checks if the request's value is in the list)
Has a a view to easy analyse the behaviour of filters overall in a chart.
-
Add 'request_filters' to your INSTALLED_APPS setting like this:
INSTALLED_APPS = [ ..., 'request_filters', ] -
Add
request_filters.middleware.RequestFilterMiddlewareto yourMIDDLEWAREas the FIRST ENTRY.MIDDLEWARE = [ 'request_filters.middleware.RequestFilterMiddleware', ..., ] -
See the options section for more information on how to configure the app.
-
Log into your wagtail admin and configure your filters.
You must appropriately configure django geoip2.
More information on how this can be done is found here.
List of excluded apps, all requests to these apps will be allowed (If resolver_match is available). Exclusions should preferably happen via IP ranges or absolute IPs.
REQUEST_FILTERS_EXCLUDED_APPS: list[str] = [
"admin",
]
Excluded paths, all requests to these paths will skip filtering
Paths should be in the format of a glob pattern. Exclusions should preferably happen via IP ranges or absolute IPs.
REQUEST_FILTERS_EXCLUDED_PATHS: list[str] = [
"/admin/*",
f"{getattr(settings, 'STATIC_URL', '/static/')}*",
f"{getattr(settings, 'MEDIA_URL', '/media/')}*",
]
Excluded IP addresses, all requests from these IPs will be allowed.
# This is the safest way to exclude requests from being filtered.
REQUEST_FILTERS_EXCLUDED_IPS: list[str] = [
"127.0.0.0/8", "::1/128",
]
Caching settings and their defaults.
# Default cache backend to use for storing settings and filters
REQUEST_FILTERS_CACHE_BACKEND: str = "default"
# Namespaces for cache keys.
REQUEST_FILTERS_SETTINGS_CACHE_KEY: str = "request_filters_settings"
REQUEST_FILTERS_FILTERS_CACHE_KEY: str = "request_filters_filters"
# Timeout the cache for the filter settings for 5 minutes by default
REQUEST_FILTERS_SETTINGS_CACHE_TIMEOUT: timezone.timedelta = timezone.timedelta(minutes=5)
# Timeout the cache for the filters for 1 hour by default
REQUEST_FILTERS_FILTERS_CACHE_TIMEOUT: timezone.timedelta = timezone.timedelta(hours=1)
# Clear cache when settings are saved
REQUEST_FILTERS_CLEAR_CACHE_ON_SAVE_SETTINGS: bool = True
# Clear cache when filters are saved
REQUEST_FILTERS_CLEAR_CACHE_ON_SAVE_FILTERS: bool = True
Message shown when a filter raises an exception, or blocks the request.
REQUEST_FILTERS_BLOCK_MESSAGE: str = _("You are not allowed to access this resource")
Add headers to the response which displays minimal information about the filters.
REQUEST_FILTERS_ADD_FILTER_HEADERS: bool = True # Add headers to the response which displays minimal information about the filters.
Not recommended for production.
REQUEST_FILTERS_LOG_HAPPY_PATH: bool = False # Log requests that are allowed by the filters
REQUEST_FILTERS_DEFAULT_CHECK_VALUE: Union[bool, callable] = True # Allow checks to pass by default
REQUEST_FILTERS_DEFAULT_ACTION_VALUE: callable = lambda self, filter, settings, request, get_response: HttpResponseForbidden(
_("You are not allowed to access this resource")
)
REQUEST_FILTERS_REGISTER_TO_MENU: str = "register_settings_menu_item" # Register to a menu hook.