nginx: block all /metrics endpoints
This commit is contained in:
eyjhb
parent
cad1ac566a
commit
d6be5fefea
GPG key ID:
609F508E3239F920
1 changed files with 50 additions and 39 deletions
|
|
@ -10,47 +10,58 @@ let
|
||||||
-out "$out/ca.pem" -keyout "$out/ca.key"
|
-out "$out/ca.pem" -keyout "$out/ca.key"
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
services.nginx = {
|
# block all /metrics endpoints
|
||||||
enable = true;
|
options.services.nginx.virtualHosts = lib.mkOption {
|
||||||
|
type = lib.types.attrsOf (lib.types.submodule {
|
||||||
recommendedOptimisation = true;
|
config.locations."/metrics" = lib.mkDefault {
|
||||||
recommendedTlsSettings = true;
|
extraConfig = "deny all;";
|
||||||
recommendedGzipSettings = true;
|
};
|
||||||
# recommendedBrotliSettings = true;
|
});
|
||||||
recommendedProxySettings = true;
|
|
||||||
|
|
||||||
# only allow PFS-enabled ciphers with AES256
|
|
||||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
||||||
|
|
||||||
# disable access logs
|
|
||||||
commonHttpConfig= ''
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
|
|
||||||
# setup a default site
|
|
||||||
virtualHosts.default = {
|
|
||||||
default = lib.mkDefault true;
|
|
||||||
addSSL = true;
|
|
||||||
|
|
||||||
sslCertificateKey = "${snakeOilCa}/ca.key";
|
|
||||||
sslCertificate = "${snakeOilCa}/ca.pem";
|
|
||||||
|
|
||||||
root = pkgs.writeTextDir "index.html" ''
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Nothing to see</title>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<p>Like I said, nothing to see here</p>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
config = {
|
||||||
allowedTCPPorts = [80 443];
|
services.nginx = {
|
||||||
allowedUDPPorts = [443];
|
enable = true;
|
||||||
|
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
# recommendedBrotliSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
|
# only allow PFS-enabled ciphers with AES256
|
||||||
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||||
|
|
||||||
|
# disable access logs
|
||||||
|
commonHttpConfig= ''
|
||||||
|
access_log off;
|
||||||
|
'';
|
||||||
|
|
||||||
|
# setup a default site
|
||||||
|
virtualHosts.default = {
|
||||||
|
default = lib.mkDefault true;
|
||||||
|
addSSL = true;
|
||||||
|
|
||||||
|
sslCertificateKey = "${snakeOilCa}/ca.key";
|
||||||
|
sslCertificate = "${snakeOilCa}/ca.pem";
|
||||||
|
|
||||||
|
root = pkgs.writeTextDir "index.html" ''
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Nothing to see</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<p>Like I said, nothing to see here</p>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [80 443];
|
||||||
|
allowedUDPPorts = [443];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue