From 4152024ce7f2c030707ce080110f6ca2ea86ebea Mon Sep 17 00:00:00 2001
From: Siarhei Siniak <siarheisiniak@gmail.com>
Date: Thu, 21 Aug 2025 16:55:13 +0300
Subject: [PATCH] [+] restrict _metrics ips

  1. resolve provided host name as ip
    address and use it allow clients
    for _metrics endpoint;
  1.1. fixed _metrics being exposed
    from outside, with -H 'Host: blah';
---
 d1/nginx_config.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/d1/nginx_config.py b/d1/nginx_config.py
index 17d2172..f722554 100644
--- a/d1/nginx_config.py
+++ b/d1/nginx_config.py
@@ -1,4 +1,5 @@
 import json
+import socket
 import os
 import io
 import sys
@@ -291,6 +292,11 @@ stream {
     if 'default_server' in ssl_nginx:
         server = ssl_nginx['default_server']
 
+        if 'metrics_allowed' in server:
+            metrics_allowed_ip = socket.gethostbyname(server['metrics_allowed'])
+        else:
+            metrics_allowed_ip = '127.0.0.1'
+
         servers.append(
             r'''
 server {
@@ -300,8 +306,9 @@ server {
   location = /_metrics {
     stub_status;
     access_log off;
-    allow 172.0.0.0/8;
-    allow 127.0.0.1;
+    # allow 172.0.0.0/8;
+    allow {metrics_allowed_ip};
+    # allow 127.0.0.1;
     deny all;
   }
 
@@ -335,6 +342,8 @@ server {
                   '{domain_key}', server['domain_key'],
               ).replace(
                   '{ssl_port}', '%d' % ssl_port,
+              ).replace(
+                  '{metrics_allowed_ip}', metrics_allowed_ip
               )
         )