PaymentServer: Allow only IPs from monitoringvpn to access /metrics

NGINX does longest-prefix-match for selecting locations.

PaymentServer: Allow only IPs from monitoringvpn to access /metrics
c0d22207 · Florian Sesser · 5367c8fa · c0d22207
Commit c0d22207 authored 3 years ago by Florian Sesser
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -112,6 +112,14 @@
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
      };
+      locations."/metrics" = {
+        # Only allow our monitoringvpn subnet
+        extraConfig = ''
+          allow 172.23.23.0/24;
+          deny all;
+        '';
+        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
+      };
    };
  };