Commit 9360faf7 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Put all /metrics endpoints behind auth

parent 5374ff60
$ANSIBLE_VAULT;1.1;AES256
30343635623662626436393831386266353561386231373066373638393830306539343630393633
6436343736396133623364383261353937643037613435630a313662633335373365316230303234
32333336633738383435643762333561343034376264303736343138636564623432636133313765
6232333937613031330a353466656534376565636137653165396632316261306533366239656465
66663832306138343361346637636534396533623939333962653164643838316463666632643938
6165623333313564643834343262393538663435366432666131
33303032383363646637316136373435613162343563656333343061636335363135366662623033
3833393361303933343134333865653935616563343766650a386339333365623732656633666533
31396436373530623666623933653433346331393033313364313166636335613531383238646539
3764346333323962340a366463666662356563636664323235316662653161623261623430653766
37626463323563393433343461333563663561373862633239393166613463333863336236376336
32386164363864303939313338636331653432393431366337336136373933663534316262636335
65343237356562396137346431366364336231633635663432636636303331333437316162613538
62393732653064316466613832346334643765643964303438336662653931313861353039386263
31666637303066353534366237643266306263663332373362663263353665613066
$ANSIBLE_VAULT;1.1;AES256
63373465656232323265643638376633383230643139323535656565396362636330396130663263
6233666233646537363536323032366337613765336530350a336130303663383337643737323665
66393863666135616430643931376239616266616664623034653134303563306239653736616464
3666386534306434640a386261383039643937316564303561666133643536353839346262353833
63313264363162336166666361366533336265386433376136623435666661363861663239303236
32623930393838323964646166393037633564343262336565383331636633666230313434326635
35366433313636646466303565356138386436323266316534343231303861336462343637383065
66643663356363356466613933376331656432306434393432643163326663343161636333303134
62383362393933636164363666613230316439396235383636346530343536636432343330623330
33373135343033623437613836393564376366613366636662383337623534386161623663386631
356435336630613834356535646239616139
61643961653135363134373939383336353031333730303262376130643562356631666462663837
3031373734656539393930373938643139323633336135390a396430383064376431633839303730
65323464633737353234636530356662666433623730303765643532623137623338376164633265
3262373263626261640a623236383564346239383630373138363264383535366366663163646262
36386166336361623336376436346662393831313263616131326433663534373437323265333330
32303162383762336531623664373563613536366433323730323736326664643262656532383761
64653535343762666262386361653966653333373363303165663836303636336363356461646465
34646264343165353131613234356237383536653938636137626365313438363437386632653532
30336438373364636434356431373862633133306336393466643231636637393866336134303766
31613130636632303539353462386161616364626463646539303061356131353532626466663439
64303433653832633662663765316262373335393665306438653232653062303036313563666432
61326237343432626230373065383166643265633532313033623134366561383536653438393030
36643834356263653930386531343566613832663230363036353233353631383663626333383737
6230666363303436333835333463626230646464396564393363
......@@ -10,7 +10,7 @@
domains: ["{{ grafana_domain }}"]
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=root mode=644
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
notify:
- reload nginx
tags: ['nginx']
......
......@@ -29,8 +29,8 @@ server {
listen [::]:443 ssl http2;
server_name {{ grafana_domain }};
access_log /var/log/nginx/{{ grafana_domain }}/access.log reduced;
access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_reduced;
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ grafana_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem;
......@@ -39,12 +39,21 @@ server {
root {{ grafana_domain }};
location / {
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
{% set proxy -%}
proxy_pass http://grafana;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{%- endset %}
location / {
{{ proxy }}
}
location = /metrics {
if ($http_authorization != "Bearer {{ vault_grafana_metrics_token }}") {
return 403;
}
{{ proxy }}
}
}
......@@ -25,7 +25,7 @@
file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=root mode=644
template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
notify: reload nginx
tags: ['nginx']
......
......@@ -36,21 +36,32 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ hedgedoc_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ hedgedoc_domain }}/chain.pem;
{% set proxy -%}
proxy_pass http://hedgedoc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{%- endset %}
location / {
proxy_pass http://hedgedoc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{{ proxy }}
}
location = /status {
return 403;
}
location = /metrics {
if ($http_authorization != "Bearer {{ vault_hedgedoc_metrics_token }}") {
return 403;
}
{{ proxy }}
}
location /socket.io/ {
proxy_pass http://hedgedoc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{{ proxy }}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment