Admin access more restrictive

Allow local IPs and the admin onion address to access /coodinator
2025-08-12 13:00:09 +00:00 · 2024-09-21 15:05:07 -03:00
parent d3f3291ebb
commit 9edf8399ed
2 changed files with 49 additions and 7 deletions
--- a/compose/nginx/mn.conf.d/local.conf
+++ b/compose/nginx/mn.conf.d/local.conf
@ -14,6 +14,18 @@ upstream robosats_daphne_websocket {
    server localhost:9000;
 }

+# Define a variable for allowed IPs
+geo $allowed_localIP {
+    default 0;
+    192.168.0.0/16 1;  # Allows access for IPs in the range 192.168.0.0/16 (192.168.0.0 ~ 192.168.255.255)
+    #192.168.x.x 1; # or use your local IP for more security and remove the above line
+}
+
+map $host $allowed_onion {
+    default 0;
+    "~*your-robotest-admin-onion-address\.onion" 1;  # Allows access for your coordinator onion address
+}
+
 # now we declare our main server
 server {

@ -42,9 +54,18 @@ server {
    }

    location /coordinator {
-        # Blocks admin access from the public onion address
-        if ($host ~* "robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion") {
-            return 403;  # Forbidden
+        # Denies any access by default
+        set $allow_access 0;
+
+        if ($allowed_localIP = 1) {
+            set $allow_access 1; # Allows access for local IPs
+        }
+        if ($allowed_onion = 1) {
+            set $allow_access 1; # Allows access for your coordinator onion address
+        }
+
+        if ($allow_access = 0){
+            return 403; # Access is forbidden if none of the above conditions are met.
        }

        proxy_pass http://robosats_gunicorn_rest;
--- a/compose/nginx/tn.conf.d/local.conf
+++ b/compose/nginx/tn.conf.d/local.conf
@ -14,6 +14,18 @@ upstream robosats_daphne_websocket {
    server localhost:9000;
 }

+# Define a variable for allowed IPs
+geo $allowed_localIP {
+    default 0;
+    192.168.0.0/16 1;  # Allows access for IPs in the range 192.168.0.0/16 (192.168.0.0 ~ 192.168.255.255)
+    #192.168.x.x 1; # or use your local IP for more security and remove the above line
+}
+
+map $host $allowed_onion {
+    default 0;
+    "~*your-robotest-admin-onion-address\.onion" 1;  # Allows access for your coordinator onion address
+}
+
 # now we declare our main server
 server {

@ -41,12 +53,21 @@ server {
    }

    location /coordinator {
-        # Blocks admin access from the public onion address
-        if ($host ~* "robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion") {
-            return 403;  # Forbidden
+        # Denies any access by default
+        set $allow_access 0;
+
+        if ($allowed_localIP = 1) {
+            set $allow_access 1; # Allows access for local IPs
+        }
+        if ($allowed_onion = 1) {
+            set $allow_access 1; # Allows access for your coordinator onion address
        }

-	proxy_pass http://robosats_gunicorn_rest;
+        if ($allow_access = 0){
+            return 403; # Access is forbidden if none of the above conditions are met.
+        }
+
+        proxy_pass http://robosats_gunicorn_rest;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;