fxreader.online/freelance-project-34-marketing-blog
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

[+] restrict _metrics ips

Browse Source 
1. resolve provided host name as ip
    address and use it allow clients
    for _metrics endpoint;
  1.1. fixed _metrics being exposed
    from outside, with -H 'Host: blah';
This commit is contained in:
Siarhei Siniak 2025-08-21 16:55:13 +03:00
parent a7cb247a4e
commit 4152024ce7
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
d1/nginx_config.py
View File

@ -1,4 +1,5 @@
import json import json
import socket
import os import os
import io import io
import sys import sys
@ -291,6 +292,11 @@ stream {
if 'default_server' in ssl_nginx: if 'default_server' in ssl_nginx:
server = ssl_nginx['default_server'] server = ssl_nginx['default_server']
if 'metrics_allowed' in server:
metrics_allowed_ip = socket.gethostbyname(server['metrics_allowed'])
else:
metrics_allowed_ip = '127.0.0.1'
servers.append( servers.append(
r''' r'''
server { server {
@ -300,8 +306,9 @@ server {
location = /_metrics { location = /_metrics {
stub_status; stub_status;
access_log off; access_log off;
allow 172.0.0.0/8; # allow 172.0.0.0/8;
allow 127.0.0.1; allow {metrics_allowed_ip};
# allow 127.0.0.1;
deny all; deny all;
} }
@ -335,6 +342,8 @@ server {
'{domain_key}', server['domain_key'], '{domain_key}', server['domain_key'],
).replace( ).replace(
'{ssl_port}', '%d' % ssl_port, '{ssl_port}', '%d' % ssl_port,
).replace(
'{metrics_allowed_ip}', metrics_allowed_ip
) )
) )