From 03a1e37700071ccad8dbcd398ab3a2de30f399ee Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Wed, 26 Oct 2022 01:38:43 +0200 Subject: [PATCH 1/4] authelia: added better robots.txt, nginx locations for healthchecks --- roles/authelia/tasks/authelia.yml | 11 +++++++++++ roles/authelia/templates/01-authelia.conf.j2 | 17 +++++++++++------ roles/authelia/templates/robots.txt.j2 | 2 ++ 3 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 roles/authelia/templates/robots.txt.j2 diff --git a/roles/authelia/tasks/authelia.yml b/roles/authelia/tasks/authelia.yml index 1f170a0..5af9891 100644 --- a/roles/authelia/tasks/authelia.yml +++ b/roles/authelia/tasks/authelia.yml @@ -48,6 +48,17 @@ - authelia-config notify: restart authelia container +- name: template robots.txt + template: + src: "robots.txt.j2" + dest: "{{ systemuserlist.authelia.home }}/robots.txt" + owner: authelia + group: authelia + mode: 0755 + tags: + - authelia-nginx + notify: reload nginx + - name: template nginx vhost template: src: 01-authelia.conf.j2 diff --git a/roles/authelia/templates/01-authelia.conf.j2 b/roles/authelia/templates/01-authelia.conf.j2 index 7abe14a..cec4970 100644 --- a/roles/authelia/templates/01-authelia.conf.j2 +++ b/roles/authelia/templates/01-authelia.conf.j2 @@ -48,13 +48,20 @@ server { proxy_buffers 64 256k; } + # the robots.txt file that authelia serves allows search engine + location = /robots.txt { + alias {{ systemuserlist.authelia.home }}/robots.txt; + } + # swagger: https://login.sudo.is/api/#/ location /api/verify { return 403; } - location /api/health { - return 403; - } + # only returns {"status": "OK"}, which is also included in /api/state anyway, which clients + # seem to access according to logs so cant deny those requests. + # location /api/health { + # return 403; + # } access_log /var/log/nginx/access_{{ authelia_login_url }}.log main; error_log /var/log/nginx/error_{{ authelia_login_url }}.log warn; @@ -72,8 +79,6 @@ server { server { - #listen 443 ssl http2; - {% if inventory_hostname in wg_clients -%} listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2 default_server; {% endif -%} @@ -113,7 +118,7 @@ server { } - location /api/health { + location /api { proxy_pass http://{{ bridgewithdns.authelia}}:{{ authelia_port }}; proxy_redirect off; diff --git a/roles/authelia/templates/robots.txt.j2 b/roles/authelia/templates/robots.txt.j2 new file mode 100644 index 0000000..1f53798 --- /dev/null +++ b/roles/authelia/templates/robots.txt.j2 @@ -0,0 +1,2 @@ +User-agent: * +Disallow: / -- 2.40.1 From cd6422373699ad2b45bb8383f3ec92f366f39727 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Wed, 26 Oct 2022 01:40:03 +0200 Subject: [PATCH 2/4] jellyfin: nginx locations for healthchecks --- roles/jellyfin/templates/01-jellyfin.j2 | 27 +++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/roles/jellyfin/templates/01-jellyfin.j2 b/roles/jellyfin/templates/01-jellyfin.j2 index d3ab59a..54eb0b1 100644 --- a/roles/jellyfin/templates/01-jellyfin.j2 +++ b/roles/jellyfin/templates/01-jellyfin.j2 @@ -56,14 +56,14 @@ server { # attempting to fix the title with nginx {% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %} - sub_filter 'Jellyfin' '{{ jellyfin_title }}'; - sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"'; - sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"'; - sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"'; - # in addition to “text/html”. - sub_filter_types application/javascript; - sub_filter_last_modified on; - sub_filter_once off; + #sub_filter 'Jellyfin' '{{ jellyfin_title }}'; + #sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"'; + #sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"'; + #sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"'; + ## in addition to “text/html”. + #sub_filter_types application/javascript; + #sub_filter_last_modified on; + #sub_filter_once off; location = / { return 302 https://$host/web/; @@ -126,6 +126,17 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } {% endfor %} + location = /_health { + proxy_pass http://127.0.0.1:{{ jellyfin_port }}/health; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {# hide_header 'content-security-policy'; + # hide_header 'x-response-time-ms'; + # hide_header 'x-frame-options'; + # hide_header 'x-xss-protection'; + # hide_header 'last-modified'; #} + } + {# location /videos/ { # # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams -- 2.40.1 From f1afe94a191e51be21f14690e08e7441db40ce6c Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Wed, 26 Oct 2022 01:44:41 +0200 Subject: [PATCH 3/4] matrix-synapse: nginx locations for healthchecks --- roles/matrix-nginx/templates/01-matrix.j2 | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/roles/matrix-nginx/templates/01-matrix.j2 b/roles/matrix-nginx/templates/01-matrix.j2 index 8a5fbdf..ca95ecd 100644 --- a/roles/matrix-nginx/templates/01-matrix.j2 +++ b/roles/matrix-nginx/templates/01-matrix.j2 @@ -34,19 +34,11 @@ server { } - location /health { - allow 127.0.0.1; - {% if inventory_hostname in my_public_ips -%} - allow {{ my_public_ips[inventory_hostname] }}/32; - {% endif -%} - allow {{ my_public_ips[ansible_control_host] }}/32; - allow {{ wireguard_cidr }}; - deny all; - proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}; + location = /_health { + proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}/health; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - } location ~* ^(\/_matrix|\/_synapse\/client) { # working around this issue that seems to still be hapening -- 2.40.1 From 73b7d2664f05522426ef8be98cde10bf919c577e Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Wed, 26 Oct 2022 01:45:40 +0200 Subject: [PATCH 4/4] influxdb: nginx locations for healthchecks, but overwite arg to force verbose=false to prevent leaking version info --- roles/monitoring-server/templates/01-influxdb.j2 | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/monitoring-server/templates/01-influxdb.j2 b/roles/monitoring-server/templates/01-influxdb.j2 index 6bf88a7..2ed496d 100644 --- a/roles/monitoring-server/templates/01-influxdb.j2 +++ b/roles/monitoring-server/templates/01-influxdb.j2 @@ -8,7 +8,21 @@ server { include /etc/nginx/listen-proxy-protocol.conf; server_name {{ influxdb_url }}; - location ~ ^/(ping|metrics|status) { + location /ping { + # if /ping?verbose=true, it leaks the version + set $args ''; + + proxy_pass http://127.0.0.1:{{ influxdb_port }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + + location ~ ^/(metrics|health|debug) { + # /health will leak version number + # /metrics are private + # /debug is also private allow 127.0.0.1; {% if inventory_hostname in my_public_ips -%} allow {{ my_public_ips[inventory_hostname] }}/32; -- 2.40.1