From c0d222072e0a5ecc09f87ca29ba640352dfce66c Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@private.storage> Date: Thu, 5 Aug 2021 12:49:16 +0000 Subject: [PATCH] PaymentServer: Allow only IPs from monitoringvpn to access /metrics NGINX does longest-prefix-match for selecting locations. --- morph/lib/customize-issuer.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix index 896580d3..2cbc52f6 100644 --- a/morph/lib/customize-issuer.nix +++ b/morph/lib/customize-issuer.nix @@ -112,6 +112,14 @@ locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}"; }; + locations."/metrics" = { + # Only allow our monitoringvpn subnet + extraConfig = '' + allow 172.23.23.0/24; + deny all; + ''; + proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}"; + }; }; }; -- GitLab