mirrors/blockstream-satellite-api
1
0
Fork 0
mirror of https://github.com/Blockstream/satellite-api.git synced 2025-02-22 21:45:19 +01:00
Code Issues Projects Releases Packages Wiki Activity

nginx lb: also protect /gossip/order

Browse source
This commit is contained in:
Chase Sillevis 2020-11-02 19:10:18 +01:00
parent bb0845af89
commit c9cd6a31ea
No known key found for this signature in database
GPG key ID: B31ED7165146D701
1 changed files with 24 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
terraform/modules/lb/cloud-init/lb.yaml
View file

@ -1,7 +1,7 @@
users:
- name: bs
uid: 2000
write_files:
- path: /home/bs/default.conf
permissions: 0644
@ -11,7 +11,7 @@ write_files:
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
server {
access_log /var/log/nginx/access.log withtime;
error_log /var/log/nginx/error.log;
@ -21,11 +21,11 @@ write_files:
listen 80;
server_tokens off;
proxy_set_header X-Forwarded-For 0.0.0.0;
location / {
rewrite ^ https://$http_host$request_uri? permanent;
}
location /.well-known {
auth_basic off;
allow all; # Allow all to see content
@ -45,7 +45,7 @@ write_files:
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
server {
index index.php index.html index.htm index.nginx-debian.html;
@ -58,25 +58,25 @@ write_files:
ssl_certificate_key /etc/nginx/certs/live/${host}/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/certs/dhparam.pem;
ssl_client_certificate /etc/nginx/certs/ca.cert;
ssl_verify_client optional;
root /usr/share/nginx/html/;
server_tokens off;
proxy_set_header X-Forwarded-For 0.0.0.0;
location = / {
rewrite ^ /index.html break;
}
# Client cert authenticated endpoints
location /order/tx/ {
# Allow base stations only
allow 202.161.136.2;
allow 202.161.136.2;
allow 66.203.141.162;
deny all;
if ($ssl_client_verify != SUCCESS) {
return 403;
}
@ -85,23 +85,23 @@ write_files:
location /order/rx/ {
# Allow base stations only
allow 202.161.136.2;
allow 202.161.136.2;
allow 66.203.141.162;
deny all;
deny all;
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://${mainnet_ip}:9292/order/rx/;
}
# Proxy to mainnet Satellite API
location / {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always;
add_header 'Access-Control-Allow-Headers' 'X-Auth-Token,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'X-XSS-Protection' '1; mode=block' always;
if ($request_uri ~* "^/$")
{
return 301 https://$host;
@ -111,7 +111,7 @@ write_files:
{
return 200;
}
proxy_pass http://${mainnet_ip}:9292/;
}
@ -125,7 +125,7 @@ write_files:
proxy_pass http://${mainnet_ip}:4500/stream?channels=;
}
# Proxy to testnet Satellite API
location /testnet/ {
add_header 'Access-Control-Allow-Origin' '*' always;
@ -156,8 +156,8 @@ write_files:
proxy_pass http://${testnet_ip}:4500/stream?channels=;
}
# Proxy to Gossip
# Proxy to Gossip
location /gossip/ {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always;
@ -187,14 +187,14 @@ write_files:
proxy_pass http://${gossip_ip}:4500/stream?channels=;
}
# Client cert authenticated gossip endpoints
location ~ ^/gossip/(order/.*)$ {
location ~ ^/gossip/(order/?.*)$ {
# Allow base stations only
allow 202.161.136.2;
allow 202.161.136.2;
allow 66.203.141.162;
deny all;
if ($ssl_client_verify != SUCCESS) {
return 403;
}
@ -344,7 +344,7 @@ write_files:
-e EMAIL=${letsencrypt_email} \
"${certbot_docker}" renew
ExecStartPost=-/usr/bin/systemctl restart nginx-tls
- path: /etc/systemd/system/node-exporter.service
permissions: 0644
owner: root