From 9edf8399ed5baea84ecacd8c10404ee06c694cd0 Mon Sep 17 00:00:00 2001 From: gabbygator184 Date: Sat, 21 Sep 2024 15:05:07 -0300 Subject: [PATCH] Admin access more restrictive Allow local IPs and the admin onion address to access /coodinator --- compose/nginx/mn.conf.d/local.conf | 27 ++++++++++++++++++++++++--- compose/nginx/tn.conf.d/local.conf | 29 +++++++++++++++++++++++++---- 2 files changed, 49 insertions(+), 7 deletions(-) diff --git a/compose/nginx/mn.conf.d/local.conf b/compose/nginx/mn.conf.d/local.conf index 6598124..a9f7063 100644 --- a/compose/nginx/mn.conf.d/local.conf +++ b/compose/nginx/mn.conf.d/local.conf @@ -14,6 +14,18 @@ upstream robosats_daphne_websocket { server localhost:9000; } +# Define a variable for allowed IPs +geo $allowed_localIP { + default 0; + 192.168.0.0/16 1; # Allows access for IPs in the range 192.168.0.0/16 (192.168.0.0 ~ 192.168.255.255) + #192.168.x.x 1; # or use your local IP for more security and remove the above line +} + +map $host $allowed_onion { + default 0; + "~*your-robotest-admin-onion-address\.onion" 1; # Allows access for your coordinator onion address +} + # now we declare our main server server { @@ -42,9 +54,18 @@ server { } location /coordinator { - # Blocks admin access from the public onion address - if ($host ~* "robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion") { - return 403; # Forbidden + # Denies any access by default + set $allow_access 0; + + if ($allowed_localIP = 1) { + set $allow_access 1; # Allows access for local IPs + } + if ($allowed_onion = 1) { + set $allow_access 1; # Allows access for your coordinator onion address + } + + if ($allow_access = 0){ + return 403; # Access is forbidden if none of the above conditions are met. } proxy_pass http://robosats_gunicorn_rest; diff --git a/compose/nginx/tn.conf.d/local.conf b/compose/nginx/tn.conf.d/local.conf index 7c1fcb0..9a4b7b2 100644 --- a/compose/nginx/tn.conf.d/local.conf +++ b/compose/nginx/tn.conf.d/local.conf @@ -14,6 +14,18 @@ upstream robosats_daphne_websocket { server localhost:9000; } +# Define a variable for allowed IPs +geo $allowed_localIP { + default 0; + 192.168.0.0/16 1; # Allows access for IPs in the range 192.168.0.0/16 (192.168.0.0 ~ 192.168.255.255) + #192.168.x.x 1; # or use your local IP for more security and remove the above line +} + +map $host $allowed_onion { + default 0; + "~*your-robotest-admin-onion-address\.onion" 1; # Allows access for your coordinator onion address +} + # now we declare our main server server { @@ -41,12 +53,21 @@ server { } location /coordinator { - # Blocks admin access from the public onion address - if ($host ~* "robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion") { - return 403; # Forbidden + # Denies any access by default + set $allow_access 0; + + if ($allowed_localIP = 1) { + set $allow_access 1; # Allows access for local IPs + } + if ($allowed_onion = 1) { + set $allow_access 1; # Allows access for your coordinator onion address } - proxy_pass http://robosats_gunicorn_rest; + if ($allow_access = 0){ + return 403; # Access is forbidden if none of the above conditions are met. + } + + proxy_pass http://robosats_gunicorn_rest; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off;