Prevent importing works from non-public URLs

Description

When using the import form, it was possible to fill in non-public URLs such as the Elasticsearch cluster's GET endpoints and get back their contents in the imported work's body. Users cannot reach those URLs directly but the Rails application can.

Systems set up a proxy and set the http_proxy environment variable on the Rails app processes, forcing all HTTP connections to go through this proxy. However, we want to route New Relic connections directly to New Relic rather than going via the proxy.

Testing

Log on to the proxy and see there are no connections to New Relic. Note that this can only be tested by Systems once the New Relic configuration is updated.

Activity

Show:
james_
July 18, 2020, 10:56 AM

Restarted squid on the proxy and rotated the logs

no sign of new relic in the access log

root@uk-proxy01:/home/james_# cat !$
cat /var/log/squid/access.log
1595069544.155 487 10.10.8.48 TCP_MISS_ABORTED/200 14648 GET http://yuletidetreasure.org/images/yuletide-th.jpg - HIER_DIRECT/64.90.37.150 image/jpeg
1595069546.894 304 10.10.8.48 TCP_MISS_ABORTED/200 14648 GET http://yuletidetreasure.org/images/yuletide-th.jpg - HIER_DIRECT/64.90.37.150 image/jpeg
root@uk-proxy01:/home/james_#

Data still in new relic

DeployedToBeta

Assignee

james_

Reporter

Sarken

Roadmap

Work Importing

Priority

Highest

Affects versions

Fix versions

Components

BackEnd

Difficulty

Hard

Milestone

Internal 0.9
Configure