Put all /metrics endpoints behind auth

9360faf7 · Kristian Klausen · 5374ff60 · 9360faf7 · 9360faf7 · 9360faf7
Commit 9360faf7 authored 3 years ago by Kristian Klausen
--- a/group_vars/all/vault_grafana.yml
+++ b/group_vars/all/vault_grafana.yml
 $ANSIBLE_VAULT;1.1;AES256
-30343635623662626436393831386266353561386231373066373638393830306539343630393633
-6436343736396133623364383261353937643037613435630a313662633335373365316230303234
-32333336633738383435643762333561343034376264303736343138636564623432636133313765
-6232333937613031330a353466656534376565636137653165396632316261306533366239656465
-66663832306138343361346637636534396533623939333962653164643838316463666632643938
-6165623333313564643834343262393538663435366432666131
+33303032383363646637316136373435613162343563656333343061636335363135366662623033
+3833393361303933343134333865653935616563343766650a386339333365623732656633666533
+31396436373530623666623933653433346331393033313364313166636335613531383238646539
+3764346333323962340a366463666662356563636664323235316662653161623261623430653766
+37626463323563393433343461333563663561373862633239393166613463333863336236376336
+32386164363864303939313338636331653432393431366337336136373933663534316262636335
+65343237356562396137346431366364336231633635663432636636303331333437316162613538
+62393732653064316466613832346334643765643964303438336662653931313861353039386263
+31666637303066353534366237643266306263663332373362663263353665613066
--- a/group_vars/all/vault_hedgedoc.yml
+++ b/group_vars/all/vault_hedgedoc.yml
 $ANSIBLE_VAULT;1.1;AES256
-63373465656232323265643638376633383230643139323535656565396362636330396130663263
-6233666233646537363536323032366337613765336530350a336130303663383337643737323665
-66393863666135616430643931376239616266616664623034653134303563306239653736616464
-3666386534306434640a386261383039643937316564303561666133643536353839346262353833
-63313264363162336166666361366533336265386433376136623435666661363861663239303236
-32623930393838323964646166393037633564343262336565383331636633666230313434326635
-35366433313636646466303565356138386436323266316534343231303861336462343637383065
-66643663356363356466613933376331656432306434393432643163326663343161636333303134
-62383362393933636164363666613230316439396235383636346530343536636432343330623330
-33373135343033623437613836393564376366613366636662383337623534386161623663386631
-356435336630613834356535646239616139
+61643961653135363134373939383336353031333730303262376130643562356631666462663837
+3031373734656539393930373938643139323633336135390a396430383064376431633839303730
+65323464633737353234636530356662666433623730303765643532623137623338376164633265
+3262373263626261640a623236383564346239383630373138363264383535366366663163646262
+36386166336361623336376436346662393831313263616131326433663534373437323265333330
+32303162383762336531623664373563613536366433323730323736326664643262656532383761
+64653535343762666262386361653966653333373363303165663836303636336363356461646465
+34646264343165353131613234356237383536653938636137626365313438363437386632653532
+30336438373364636434356431373862633133306336393466643231636637393866336134303766
+31613130636632303539353462386161616364626463646539303061356131353532626466663439
+64303433653832633662663765316262373335393665306438653232653062303036313563666432
+61326237343432626230373065383166643265633532313033623134366561383536653438393030
+36643834356263653930386531343566613832663230363036353233353631383663626333383737
+6230666363303436333835333463626230646464396564393363
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -10,7 +10,7 @@
    domains: ["{{ grafana_domain }}"]

 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=root mode=644
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
  notify:
    - reload nginx
  tags: ['nginx']

--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -29,8 +29,8 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ grafana_domain }};

-    access_log   /var/log/nginx/{{ grafana_domain }}/access.log reduced;
-    access_log   /var/log/nginx/{{ grafana_domain }}/access.log.json json_reduced;
+    access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
    error_log    /var/log/nginx/{{ grafana_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem;
@@ -39,12 +39,21 @@ server {

    root {{ grafana_domain }};

-    location / {
-        access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
-        access_log   /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
+{% set proxy -%}
        proxy_pass http://grafana;
-	proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
+{%- endset %}
+
+    location / {
+        {{ proxy }}
+    }
+
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_grafana_metrics_token }}") {
+            return 403;
+        }
+        {{ proxy }}
    }
 }
--- a/roles/hedgedoc/tasks/main.yml
+++ b/roles/hedgedoc/tasks/main.yml
@@ -25,7 +25,7 @@
  file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755

 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=root mode=644
+  template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
  notify: reload nginx
  tags: ['nginx']


--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -36,21 +36,32 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ hedgedoc_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ hedgedoc_domain }}/chain.pem;

+{% set proxy -%}
+        proxy_pass http://hedgedoc;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+{%- endset %}
+
    location / {
-       proxy_pass http://hedgedoc;
-       proxy_set_header Host $host;
-       proxy_set_header X-Real-IP $remote_addr;
-       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-       proxy_set_header X-Forwarded-Proto $scheme;
+        {{ proxy }}
+    }
+
+    location = /status {
+        return 403;
+    }
+
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_hedgedoc_metrics_token }}") {
+            return 403;
+        }
+        {{ proxy }}
    }

    location /socket.io/ {
-       proxy_pass http://hedgedoc;
-       proxy_set_header Host $host;
-       proxy_set_header X-Real-IP $remote_addr;
-       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-       proxy_set_header X-Forwarded-Proto $scheme;
-       proxy_set_header Upgrade $http_upgrade;
-       proxy_set_header Connection $connection_upgrade;
+        {{ proxy }}
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
   }
 }