From 9360faf75d2f8eb409a48edbac7defc014b59cda Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 5 Jun 2021 03:38:02 +0200
Subject: [PATCH] Put all /metrics endpoints behind auth
---
group_vars/all/vault_grafana.yml | 15 ++++++----
group_vars/all/vault_hedgedoc.yml | 25 +++++++++--------
roles/grafana/tasks/main.yml | 2 +-
roles/grafana/templates/nginx.d.conf.j2 | 21 ++++++++++----
roles/hedgedoc/tasks/main.yml | 2 +-
roles/hedgedoc/templates/nginx.d.conf.j2 | 35 ++++++++++++++++--------
6 files changed, 63 insertions(+), 37 deletions(-)
diff --git a/group_vars/all/vault_grafana.yml b/group_vars/all/vault_grafana.yml
index ace613b4e..53e6ae174 100644
--- a/group_vars/all/vault_grafana.yml
+++ b/group_vars/all/vault_grafana.yml
@@ -1,7 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
-30343635623662626436393831386266353561386231373066373638393830306539343630393633
-6436343736396133623364383261353937643037613435630a313662633335373365316230303234
-32333336633738383435643762333561343034376264303736343138636564623432636133313765
-6232333937613031330a353466656534376565636137653165396632316261306533366239656465
-66663832306138343361346637636534396533623939333962653164643838316463666632643938
-6165623333313564643834343262393538663435366432666131
+33303032383363646637316136373435613162343563656333343061636335363135366662623033
+3833393361303933343134333865653935616563343766650a386339333365623732656633666533
+31396436373530623666623933653433346331393033313364313166636335613531383238646539
+3764346333323962340a366463666662356563636664323235316662653161623261623430653766
+37626463323563393433343461333563663561373862633239393166613463333863336236376336
+32386164363864303939313338636331653432393431366337336136373933663534316262636335
+65343237356562396137346431366364336231633635663432636636303331333437316162613538
+62393732653064316466613832346334643765643964303438336662653931313861353039386263
+31666637303066353534366237643266306263663332373362663263353665613066
diff --git a/group_vars/all/vault_hedgedoc.yml b/group_vars/all/vault_hedgedoc.yml
index 1360262c2..adbc98812 100644
--- a/group_vars/all/vault_hedgedoc.yml
+++ b/group_vars/all/vault_hedgedoc.yml
@@ -1,12 +1,15 @@
$ANSIBLE_VAULT;1.1;AES256
-63373465656232323265643638376633383230643139323535656565396362636330396130663263
-6233666233646537363536323032366337613765336530350a336130303663383337643737323665
-66393863666135616430643931376239616266616664623034653134303563306239653736616464
-3666386534306434640a386261383039643937316564303561666133643536353839346262353833
-63313264363162336166666361366533336265386433376136623435666661363861663239303236
-32623930393838323964646166393037633564343262336565383331636633666230313434326635
-35366433313636646466303565356138386436323266316534343231303861336462343637383065
-66643663356363356466613933376331656432306434393432643163326663343161636333303134
-62383362393933636164363666613230316439396235383636346530343536636432343330623330
-33373135343033623437613836393564376366613366636662383337623534386161623663386631
-356435336630613834356535646239616139
+61643961653135363134373939383336353031333730303262376130643562356631666462663837
+3031373734656539393930373938643139323633336135390a396430383064376431633839303730
+65323464633737353234636530356662666433623730303765643532623137623338376164633265
+3262373263626261640a623236383564346239383630373138363264383535366366663163646262
+36386166336361623336376436346662393831313263616131326433663534373437323265333330
+32303162383762336531623664373563613536366433323730323736326664643262656532383761
+64653535343762666262386361653966653333373363303165663836303636336363356461646465
+34646264343165353131613234356237383536653938636137626365313438363437386632653532
+30336438373364636434356431373862633133306336393466643231636637393866336134303766
+31613130636632303539353462386161616364626463646539303061356131353532626466663439
+64303433653832633662663765316262373335393665306438653232653062303036313563666432
+61326237343432626230373065383166643265633532313033623134366561383536653438393030
+36643834356263653930386531343566613832663230363036353233353631383663626333383737
+6230666363303436333835333463626230646464396564393363
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index 54e50ecf3..c7058e12f 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -10,7 +10,7 @@
domains: ["{{ grafana_domain }}"]
- name: set up nginx
- template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=root mode=644
+ template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
notify:
- reload nginx
tags: ['nginx']
diff --git a/roles/grafana/templates/nginx.d.conf.j2 b/roles/grafana/templates/nginx.d.conf.j2
index 1c378da2b..afc6e7685 100644
--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -29,8 +29,8 @@ server {
listen [::]:443 ssl http2;
server_name {{ grafana_domain }};
- access_log /var/log/nginx/{{ grafana_domain }}/access.log reduced;
- access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_reduced;
+ access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
+ access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
error_log /var/log/nginx/{{ grafana_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem;
@@ -39,12 +39,21 @@ server {
root {{ grafana_domain }};
- location / {
- access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
- access_log /var/log/nginx/{{ grafana_domain }}/access.log.json json_main;
+{% set proxy -%}
proxy_pass http://grafana;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
+{%- endset %}
+
+ location / {
+ {{ proxy }}
+ }
+
+ location = /metrics {
+ if ($http_authorization != "Bearer {{ vault_grafana_metrics_token }}") {
+ return 403;
+ }
+ {{ proxy }}
}
}
diff --git a/roles/hedgedoc/tasks/main.yml b/roles/hedgedoc/tasks/main.yml
index 2e7380c34..8f6819570 100644
--- a/roles/hedgedoc/tasks/main.yml
+++ b/roles/hedgedoc/tasks/main.yml
@@ -25,7 +25,7 @@
file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=root mode=644
+ template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
notify: reload nginx
tags: ['nginx']
diff --git a/roles/hedgedoc/templates/nginx.d.conf.j2 b/roles/hedgedoc/templates/nginx.d.conf.j2
index 66f41d901..b9edcfd66 100644
--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -36,21 +36,32 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ hedgedoc_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ hedgedoc_domain }}/chain.pem;
+{% set proxy -%}
+ proxy_pass http://hedgedoc;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+{%- endset %}
+
location / {
- proxy_pass http://hedgedoc;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
+ {{ proxy }}
+ }
+
+ location = /status {
+ return 403;
+ }
+
+ location = /metrics {
+ if ($http_authorization != "Bearer {{ vault_hedgedoc_metrics_token }}") {
+ return 403;
+ }
+ {{ proxy }}
}
location /socket.io/ {
- proxy_pass http://hedgedoc;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
+ {{ proxy }}
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
}
}
--
GitLab