ops: Implement ACL for internal APIs

production/nginx/http-acl.conf

@@ -0,0 +1,6 @@
+# used for "internal" API restriction
+geo $remote_addr $mempool_external {
+	127.0.0.1	'';
+	::1		'';
+	default		1;
+}

production/nginx/location-api.conf

@@ -4,10 +4,17 @@
 
 # Block the internal APIs of esplora
 location /api/internal/ {
-	return 403;
+	if ($mempool_external) {
+		return 403;
+	}
+	rewrite ^/api/(.*) /$1 break;
+	try_files /dev/null @esplora-api-cache-disabled;
 }
 location /api/v1/internal/ {
-	return 403;
+	if ($mempool_external) {
+		return 403;
+	}
+	try_files /dev/null @mempool-api-v1-cache-normal;
 }
 
 # websocket has special HTTP headers

production/nginx/nginx.conf

@@ -19,6 +19,7 @@ http {
 
 	# HTTP basic configuration
 	include mempool/production/nginx/http-basic.conf;
+	include mempool/production/nginx/http-acl.conf;
 	include mempool/production/nginx/http-proxy-cache.conf;
 	include mempool/production/nginx/http-language.conf;