Merge pull request #16 from KoalaSat/patch-2

Block admin access in public onion
2025-12-24 05:55:43 +00:00 · 2024-08-02 19:08:54 +00:00
parent 5c2165fffa 8d5e24596d
commit 5239425db4
5 changed files with 37 additions and 3 deletions
--- a/compose/backup/Dockerfile
+++ b/compose/backup/Dockerfile
@ -3,8 +3,8 @@ FROM debian:bullseye-slim
 RUN apt update
 RUN apt-get install rsync -y

-WORKDIR /usr/src/backup.sh
+COPY backup.sh /usr/src

-COPY backup.sh /usr/src/backup.sh
+WORKDIR /usr/src

 CMD ["bash","backup.sh"]
--- a/compose/docker-compose.yml
+++ b/compose/docker-compose.yml
@ -152,8 +152,9 @@ services:
  #     NETWORK: ${NETWORK}
  #   volumes:
  #     - ${DATABASE}:/running/database:ro
-  #     - ${BITCOIN_DATA}:/running/bitcoin:ro
+  #     - ${BITCOIN_CONF:?}:/running/bitcoin/bitcoin.conf:ro
  #     - ${LND_DATA}:/running/lnd:ro
+  #     - ${LND_CONF}:/running/lnd/lnd.conf:ro
  #     - ${LIT_DATA}:/running/lit:ro
  #     - ${STATIC}:/running/static:ro
  #     - ${BU_DIR1}:/backup1
--- a/compose/env-sample/lndtn/torrc
+++ b/compose/env-sample/lndtn/torrc
@ -17,6 +17,10 @@ HiddenServiceVersion 3
 HiddenServicePort 80 127.0.0.1:80

 # Robosats Admin Testnet Onion Service
+HiddenServiceDir /var/lib/tor/robotest-admin/
+HiddenServiceVersion 3
+HiddenServicePort 80 127.0.0.1:80
+
 HiddenServiceDir /var/lib/tor/robotest-thunderhub/
 HiddenServiceVersion 3
 HiddenServicePort 80 127.0.0.1:3000
--- a/compose/nginx/mn.conf.d/local.conf
+++ b/compose/nginx/mn.conf.d/local.conf
@ -41,6 +41,20 @@ server {
        limit_req zone=tenpersec burst=10;
    }

+    location /coordinator {
+        # Blocks admin access from the public onion address
+        if ($host ~* "robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion") {
+            return 403;  # Forbidden
+        }
+
+        proxy_pass http://robosats_gunicorn_rest;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+        # Replace with the onion hidden service of your coordinator
+        add_header Onion-Location https://robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion$request_uri;
+
+    }
    
    location /ws/ {
 	# websockets are passed to Daphne
--- a/compose/nginx/tn.conf.d/local.conf
+++ b/compose/nginx/tn.conf.d/local.conf
@ -40,6 +40,21 @@ server {
        limit_req zone=fivepersec burst=10;
    }

+    location /coordinator {
+        # Blocks admin access from the public onion address
+        if ($host ~* "robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion") {
+            return 403;  # Forbidden
+        }
+
+	proxy_pass http://robosats_gunicorn_rest;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+        # Replace with the onion hidden service of your coordinator
+        add_header Onion-Location https://robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion$request_uri;
+
+    }
+
    location /ws/ {
 	    # websockets are passed to Daphne
        proxy_pass http://robosats_daphne_websocket;