[+] restrict _metrics ips

1. resolve provided host name as ip
    address and use it allow clients
    for _metrics endpoint;
  1.1. fixed _metrics being exposed
    from outside, with -H 'Host: blah';

d1/nginx_config.py

@@ -1,4 +1,5 @@
 import json
+import socket
 import os
 import io
 import sys
@@ -291,6 +292,11 @@ stream {
     if 'default_server' in ssl_nginx:
         server = ssl_nginx['default_server']
 
+        if 'metrics_allowed' in server:
+            metrics_allowed_ip = socket.gethostbyname(server['metrics_allowed'])
+        else:
+            metrics_allowed_ip = '127.0.0.1'
+
         servers.append(
             r'''
 server {
@@ -300,8 +306,9 @@ server {
   location = /_metrics {
     stub_status;
     access_log off;
-    allow 172.0.0.0/8;
-    allow 127.0.0.1;
+    # allow 172.0.0.0/8;
+    allow {metrics_allowed_ip};
+    # allow 127.0.0.1;
     deny all;
   }
 
@@ -335,6 +342,8 @@ server {
                   '{domain_key}', server['domain_key'],
               ).replace(
                   '{ssl_port}', '%d' % ssl_port,
+              ).replace(
+                  '{metrics_allowed_ip}', metrics_allowed_ip
               )
         )