mirrors/blockstream-satellite-api
1
0
Fork 0
mirror of https://github.com/Blockstream/satellite-api.git synced 2025-02-23 14:00:26 +01:00
Code Issues Projects Releases Packages Wiki Activity

remove http_x_forwarded_for from nginx and set it to 0.0.0.0 + update some image hashes + add log rotation

Browse source
This commit is contained in:
nitram 2019-04-18 19:31:02 -07:00
parent 1a16caa12a
commit 8cc51f04a4
No known key found for this signature in database
GPG key ID: 2352C35346C5D534
2 changed files with 13 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
terraform/modules/blc/cloud-init/blc.yaml
View file

@ -32,7 +32,7 @@ write_files:
permissions: 0644 permissions: 0644
owner: root owner: root
content: | content: |
log_format withtimebs '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] ' log_format withtimebs '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" ' '"$http_referer" "$http_user_agent" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
@ -45,13 +45,7 @@ write_files:
server_name ${host}; server_name ${host};
listen 80; listen 80;
server_tokens off; server_tokens off;
proxy_set_header X-Forwarded-For 0.0.0.0;
set_real_ip_from 130.211.0.0/22;
set_real_ip_from 35.191.0.0/16;
set_real_ip_from 10.0.0.0/8;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Proxy to Satellite API # Proxy to Satellite API
location = / { location = / {
@ -93,7 +87,7 @@ write_files:
permissions: 0644 permissions: 0644
owner: root owner: root
content: | content: |
log_format withtime '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] ' log_format withtime '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" ' '"$http_referer" "$http_user_agent" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
@ -106,13 +100,7 @@ write_files:
server_name ${space_host}; server_name ${space_host};
listen 80 default_server; listen 80 default_server;
server_tokens off; server_tokens off;
proxy_set_header X-Forwarded-For 0.0.0.0;
set_real_ip_from 130.211.0.0/22;
set_real_ip_from 35.191.0.0/16;
set_real_ip_from 10.0.0.0/8;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Proxy to Satellite API # Proxy to Satellite API
location = / { location = / {
@ -244,6 +232,8 @@ write_files:
--network=host \ --network=host \
--pid=host \ --pid=host \
--name=nginx \ --name=nginx \
--log-opt max-size=200m \
--log-opt max-file=3 \
-v /home/bs/bscom.conf:/etc/nginx/conf.d/bscom.conf:ro \ -v /home/bs/bscom.conf:/etc/nginx/conf.d/bscom.conf:ro \
-v /home/bs/space.conf:/etc/nginx/conf.d/space.conf:ro \ -v /home/bs/space.conf:/etc/nginx/conf.d/space.conf:ro \
-v /home/bs/index.html:/usr/share/nginx/html/index.html:ro \ -v /home/bs/index.html:/usr/share/nginx/html/index.html:ro \
@ -303,7 +293,7 @@ write_files:
-v /mnt/disks/data/${net}:/root/.bitcoin:rw \ -v /mnt/disks/data/${net}:/root/.bitcoin:rw \
"${bitcoin_docker}" ${bitcoin_cmd} "${bitcoin_docker}" ${bitcoin_cmd}
ExecStop=/usr/bin/docker exec bitcoin bitcoin-cli stop ExecStop=/usr/bin/docker exec bitcoin bitcoin-cli stop
ExecStopPost=/usr/bin/sleep 5 ExecStopPost=/usr/bin/sleep 3
ExecStopPost=/usr/bin/docker rm -f bitcoin ExecStopPost=/usr/bin/docker rm -f bitcoin
- path: /etc/systemd/system/lightning.service - path: /etc/systemd/system/lightning.service
@ -329,8 +319,8 @@ write_files:
-v /mnt/disks/data/lightning:/root/.lightning:rw \ -v /mnt/disks/data/lightning:/root/.lightning:rw \
"${lightning_docker}" ${lightning_cmd} "${lightning_docker}" ${lightning_cmd}
ExecStop=/usr/bin/docker exec lightning lightning-cli stop ExecStop=/usr/bin/docker exec lightning lightning-cli stop
ExecStopPost=/usr/bin/sleep 5 ExecStopPost=/usr/bin/sleep 3
ExecStopPost=/usr/bin/docker rm -f bitcoin ExecStopPost=/usr/bin/docker rm -f lightning
ExecStopPost=/sbin/iptables -D INPUT -p tcp --dport ${lightning_port} -j ACCEPT ExecStopPost=/sbin/iptables -D INPUT -p tcp --dport ${lightning_port} -j ACCEPT
- path: /etc/systemd/system/redis.service - path: /etc/systemd/system/redis.service
@ -383,6 +373,8 @@ write_files:
--network=host \ --network=host \
--pid=host \ --pid=host \
--name=ionosphere \ --name=ionosphere \
--log-opt max-size=200m \
--log-opt max-file=3 \
-v /mnt/disks/data/ionosphere:/data \ -v /mnt/disks/data/ionosphere:/data \
-e "RACK_ENV=production" \ -e "RACK_ENV=production" \
-e "CHARGE_ROOT=http://api-token:${rpcpass}@localhost:9112" \ -e "CHARGE_ROOT=http://api-token:${rpcpass}@localhost:9112" \

2
terraform/variables.tf
View file

@ -181,5 +181,5 @@ variable "prom_docker" {
variable "gcloud_docker" { variable "gcloud_docker" {
type = "string" type = "string"
default = "google/cloud-sdk@sha256:b0d0555efef6a566f42fc4f0d89be9e1d74aff4565e27bbd206405f759d3f2b0" default = "google/cloud-sdk@sha256:78e68a98c5d6aa36eca45099bae38a1544a1688fd16b506fb914a29fdf6e4afa"
} }