matrix: Use Bearer authentication for metrics

!473

matrix: Use Bearer authentication for metrics
!473
caa81be7 · Jan Alexander Steffens (heftig) · bdfc6c2c · caa81be7 · caa81be7 · caa81be7
Verified Commit caa81be7 authored Jul 31, 2021 by Jan Alexander Steffens (heftig)
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
--- a/roles/matrix/defaults/main.yml
+++ b/roles/matrix/defaults/main.yml
@@ -42,7 +42,6 @@ matrix_nginx_config:
      - "/_matrix"
      - "/_synapse"

-matrix_metrics_htpasswd: /etc/nginx/auth/matrix_metrics
 matrix_metrics_endpoints:
  - name: synapse.homeserver
    port: 8019

--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -28,7 +28,6 @@
      - pkgconf
      - postgresql-libs
      - python
-      - python-passlib
      - redis
      - tcl
      - tk
@@ -246,20 +245,11 @@
    group: synapse
    mode: 0640

- name: create htpasswd for matrix metrics endpoint
-  htpasswd:
-    path: "{{ matrix_metrics_htpasswd }}"
-    name: "{{ vault_matrix_secrets.metrics_user }}"
-    password: "{{ vault_matrix_secrets.metrics_password }}"
-    owner: root
-    group: http
-    mode: 0640
-
 - name: make nginx log dir
  file: path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755

 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0644
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0640
  notify:
    - reload nginx
  when: 'matrix_domain is defined'

--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -50,20 +50,21 @@ server {
 {% endfor %}

 {% endfor %}
-    location /metrics {
-        auth_basic "Matrix metrics";
-        auth_basic_user_file {{ matrix_metrics_htpasswd }};
-
 {% for ep in matrix_metrics_endpoints %}
-        location = /metrics/{{ ep.name }} {
-            proxy_pass http://127.0.0.1:{{ ep.port }}/{{ ep.path | default('') }};
+    location = /metrics/{{ ep.name }} {
+        if ($http_authorization != "Bearer {{ vault_matrix_secrets.metrics_token }}") {
+            return 403;
        }
+        proxy_pass http://127.0.0.1:{{ ep.port }}/{{ ep.path | default('') }};
+    }

 {% endfor %}
-        location = /metrics {
-            default_type text/plain;
-            return 200 "Available endpoints:\n{% for ep in matrix_metrics_endpoints %}  /metrics/{{ ep.name }}\n{% endfor %}";
+    location = /metrics {
+        if ($http_authorization != "Bearer {{ vault_matrix_secrets.metrics_token }}") {
+            return 403;
        }
+        default_type text/plain;
+        return 200 "Available endpoints:\n{% for ep in matrix_metrics_endpoints %}  /metrics/{{ ep.name }}\n{% endfor %}";
    }

    location = / {