Almost embarrassed to admit that I spent much of the day trying to figure why my attempts at applying a custom nginx configuration scheme to block access to the editable content on my test site at http://xword-hints.eu-west-1.elasticbeanstalk.com/ were failing because the default Python instance actually runs Apache httpd!
There was certainy enough evidence in the logs but as soon as I figured out how to SSH to the instance, it didn’t take long.
For reference, SSHing to the instance requires that the EC2 key pair be applied to the environment through the Security settings; it’s likely that this can also be done via the CLI.
Checking the EC2 control panel for the instances will give the hostname to use for SSH login; just change the path to the SSH key that has been uploaded to AWS.
$ ssh -i ~/.ssh/private-key email@example.com
There are couple of ways of applying the custom configuration needed to restrict access to the editable resources but the method I settled on was by adding the content to the .ebextensions/options.config with an entry in a section called files:
option_settings: aws:elasticbeanstalk:application:environment: SECRET_KEY: ChangeMe aws:elasticbeanstalk:container:python: WSGIPath: crossword_hints.py files: /etc/httpd/conf.d/xword-hints-deny.conf: mode: 0644 content: | <LocationMatch "/(crossword-solutions|crossword-setters|setter-types|solution-types)/[0-9]+/(edit|delete)"> Require all denied </LocationMatch> <LocationMatch "/(crossword-solutions|crossword-setters|setter-types|solution-types)/new"> Require all denied </LocationMatch> ErrorDocument 403 /static/403-xword-hints.html
It’s important to ensure that the indentation is correct for the file definition and content; the following deployment error will be thrown if not:
Service:AmazonCloudFormation, Message:[/Resources/AWSEBAutoScalingGroup/Metadata/AWS::CloudFormation::Init/prebuild_0_crossword_hints/files//etc/httpd/conf.d/xword-hints-deny.conf] 'null' values are not allowed in templates
The application needs to includes the 403 document, 403-xword-hints.html, because the web server will pass the request for the custom error page to it as a normal HTTP request.
With all this in place, the application is reasonably safe to leave running on the internet with any attempt to create, edit or delete content yielding a permissions error.
And the updates are still be applied by a Jenkins job pulling branch code from GitHub.