From 9805ac9b2af8a56674d8a83311b09d2764dcf4f6 Mon Sep 17 00:00:00 2001 From: Karol Wypchlo Date: Mon, 20 Dec 2021 14:54:42 +0100 Subject: [PATCH] limit local networks --- docker/nginx/conf.d/include/local-network-only | 3 +++ docker/nginx/conf.d/server.local.conf | 8 ++------ docker/nginx/conf.d/server/server.api | 7 ++----- 3 files changed, 7 insertions(+), 11 deletions(-) create mode 100644 docker/nginx/conf.d/include/local-network-only diff --git a/docker/nginx/conf.d/include/local-network-only b/docker/nginx/conf.d/include/local-network-only new file mode 100644 index 00000000..84fa31f3 --- /dev/null +++ b/docker/nginx/conf.d/include/local-network-only @@ -0,0 +1,3 @@ +allow 127.0.0.1/32; # localhost +allow 10.10.10.0/24; # docker network +deny all; diff --git a/docker/nginx/conf.d/server.local.conf b/docker/nginx/conf.d/server.local.conf index a598a1e6..6c5af504 100644 --- a/docker/nginx/conf.d/server.local.conf +++ b/docker/nginx/conf.d/server.local.conf @@ -4,11 +4,7 @@ server { listen [::]:8000; # secure traffic by limiting to only local networks - allow 10.0.0.0/8; - allow 127.0.0.1/32; - allow 172.16.0.0/12; - allow 192.168.0.0/16; - deny all; - + include /etc/nginx/conf.d/include/local-network-only; + include /etc/nginx/conf.d/server/server.local; } diff --git a/docker/nginx/conf.d/server/server.api b/docker/nginx/conf.d/server/server.api index 7e4b1c20..82dee277 100644 --- a/docker/nginx/conf.d/server/server.api +++ b/docker/nginx/conf.d/server/server.api @@ -334,11 +334,8 @@ location ~ "^/file/(([a-zA-Z0-9-_]{46}|[a-z0-9]{55})(/.*)?)$" { } location @purge { - allow 10.0.0.0/8; - allow 127.0.0.1/32; - allow 172.16.0.0/12; - allow 192.168.0.0/16; - deny all; + # secure traffic by limiting to only local networks + include /etc/nginx/conf.d/include/local-network-only; set $lua_purge_path "/data/nginx/cache/"; content_by_lua_file /etc/nginx/conf.d/scripts/purge-multi.lua;