#17 nginx configs for healthchecks #31

Merged
ben merged 4 commits from healthchecks into main 2022-10-25 23:48:07 +00:00
6 changed files with 60 additions and 25 deletions

View File

@ -48,6 +48,17 @@
- authelia-config - authelia-config
notify: restart authelia container notify: restart authelia container
- name: template robots.txt
template:
src: "robots.txt.j2"
dest: "{{ systemuserlist.authelia.home }}/robots.txt"
owner: authelia
group: authelia
mode: 0755
tags:
- authelia-nginx
notify: reload nginx
- name: template nginx vhost - name: template nginx vhost
template: template:
src: 01-authelia.conf.j2 src: 01-authelia.conf.j2

View File

@ -48,13 +48,20 @@ server {
proxy_buffers 64 256k; proxy_buffers 64 256k;
} }
# the robots.txt file that authelia serves allows search engine
location = /robots.txt {
alias {{ systemuserlist.authelia.home }}/robots.txt;
}
# swagger: https://login.sudo.is/api/#/
location /api/verify { location /api/verify {
return 403; return 403;
} }
location /api/health { # only returns {"status": "OK"}, which is also included in /api/state anyway, which clients
return 403; # seem to access according to logs so cant deny those requests.
} # location /api/health {
# return 403;
# }
access_log /var/log/nginx/access_{{ authelia_login_url }}.log main; access_log /var/log/nginx/access_{{ authelia_login_url }}.log main;
error_log /var/log/nginx/error_{{ authelia_login_url }}.log warn; error_log /var/log/nginx/error_{{ authelia_login_url }}.log warn;
@ -72,8 +79,6 @@ server {
server { server {
#listen 443 ssl http2;
{% if inventory_hostname in wg_clients -%} {% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2 default_server; listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2 default_server;
{% endif -%} {% endif -%}
@ -113,7 +118,7 @@ server {
} }
location /api/health { location /api {
proxy_pass http://{{ bridgewithdns.authelia}}:{{ authelia_port }}; proxy_pass http://{{ bridgewithdns.authelia}}:{{ authelia_port }};
proxy_redirect off; proxy_redirect off;

View File

@ -0,0 +1,2 @@
User-agent: *
Disallow: /

View File

@ -56,14 +56,14 @@ server {
# attempting to fix the title with nginx # attempting to fix the title with nginx
{% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %} {% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %}
sub_filter '<title>Jellyfin</title>' '<title>{{ jellyfin_title }}</title>'; #sub_filter '<title>Jellyfin</title>' '<title>{{ jellyfin_title }}</title>';
sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"'; #sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"'; #sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"'; #sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
# in addition to “text/html”. ## in addition to “text/html”.
sub_filter_types application/javascript; #sub_filter_types application/javascript;
sub_filter_last_modified on; #sub_filter_last_modified on;
sub_filter_once off; #sub_filter_once off;
location = / { location = / {
return 302 https://$host/web/; return 302 https://$host/web/;
@ -126,6 +126,17 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} }
{% endfor %} {% endfor %}
location = /_health {
proxy_pass http://127.0.0.1:{{ jellyfin_port }}/health;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{# hide_header 'content-security-policy';
# hide_header 'x-response-time-ms';
# hide_header 'x-frame-options';
# hide_header 'x-xss-protection';
# hide_header 'last-modified'; #}
}
{# location /videos/ { {# location /videos/ {
# # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams # # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams

View File

@ -34,19 +34,11 @@ server {
} }
location /health { location = /_health {
allow 127.0.0.1; proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}/health;
{% if inventory_hostname in my_public_ips -%}
allow {{ my_public_ips[inventory_hostname] }}/32;
{% endif -%}
allow {{ my_public_ips[ansible_control_host] }}/32;
allow {{ wireguard_cidr }};
deny all;
proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }};
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host; proxy_set_header Host $host;
} }
location ~* ^(\/_matrix|\/_synapse\/client) { location ~* ^(\/_matrix|\/_synapse\/client) {
# working around this issue that seems to still be hapening # working around this issue that seems to still be hapening

View File

@ -8,7 +8,21 @@ server {
include /etc/nginx/listen-proxy-protocol.conf; include /etc/nginx/listen-proxy-protocol.conf;
server_name {{ influxdb_url }}; server_name {{ influxdb_url }};
location ~ ^/(ping|metrics|status) { location /ping {
# if /ping?verbose=true, it leaks the version
set $args '';
proxy_pass http://127.0.0.1:{{ influxdb_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ ^/(metrics|health|debug) {
# /health will leak version number
# /metrics are private
# /debug is also private
allow 127.0.0.1; allow 127.0.0.1;
{% if inventory_hostname in my_public_ips -%} {% if inventory_hostname in my_public_ips -%}
allow {{ my_public_ips[inventory_hostname] }}/32; allow {{ my_public_ips[inventory_hostname] }}/32;