Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
caa81be7
Verified
Commit
caa81be7
authored
Jul 31, 2021
by
Jan Alexander Steffens (heftig)
Browse files
matrix: Use Bearer authentication for metrics
!473
parent
bdfc6c2c
Pipeline
#10048
passed with stage
in 32 seconds
Changes
4
Pipelines
1
Expand all
Hide whitespace changes
Inline
Side-by-side
group_vars/all/vault_matrix.yml
View file @
caa81be7
This diff is collapsed.
Click to expand it.
roles/matrix/defaults/main.yml
View file @
caa81be7
...
...
@@ -42,7 +42,6 @@ matrix_nginx_config:
-
"
/_matrix"
-
"
/_synapse"
matrix_metrics_htpasswd
:
/etc/nginx/auth/matrix_metrics
matrix_metrics_endpoints
:
-
name
:
synapse.homeserver
port
:
8019
...
...
roles/matrix/tasks/main.yml
View file @
caa81be7
...
...
@@ -28,7 +28,6 @@
-
pkgconf
-
postgresql-libs
-
python
-
python-passlib
-
redis
-
tcl
-
tk
...
...
@@ -246,20 +245,11 @@
group
:
synapse
mode
:
0640
-
name
:
create htpasswd for matrix metrics endpoint
htpasswd
:
path
:
"
{{
matrix_metrics_htpasswd
}}"
name
:
"
{{
vault_matrix_secrets.metrics_user
}}"
password
:
"
{{
vault_matrix_secrets.metrics_password
}}"
owner
:
root
group
:
http
mode
:
0640
-
name
:
make nginx log dir
file
:
path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=064
4
template
:
src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=064
0
notify
:
-
reload nginx
when
:
'
matrix_domain
is
defined'
...
...
roles/matrix/templates/nginx.d.conf.j2
View file @
caa81be7
...
...
@@ -50,20 +50,21 @@ server {
{% endfor %}
{% endfor %}
location /metrics {
auth_basic "Matrix metrics";
auth_basic_user_file {{ matrix_metrics_htpasswd }};
{% for ep in matrix_metrics_endpoints %}
location = /metrics/{{ ep.name }} {
proxy_pass http://127.0.0.1:{{ ep.port }}/{{ ep.path | default('') }};
location = /metrics/{{ ep.name }} {
if ($http_authorization != "Bearer {{ vault_matrix_secrets.metrics_token }}") {
return 403;
}
proxy_pass http://127.0.0.1:{{ ep.port }}/{{ ep.path | default('') }};
}
{% endfor %}
location = /metrics {
default_type text/plain;
return
200 "Available endpoints:\n{% for ep in matrix_metrics_endpoints %} /metrics/{{ ep.name }}\n{% endfor %}"
;
location = /metrics {
if ($http_authorization != "Bearer {{ vault_matrix_secrets.metrics_token }}") {
return
403
;
}
default_type text/plain;
return 200 "Available endpoints:\n{% for ep in matrix_metrics_endpoints %} /metrics/{{ ep.name }}\n{% endfor %}";
}
location = / {
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment