Skip to content

Commit

Permalink
fix: allow health checks from internal ips only
Browse files Browse the repository at this point in the history
  • Loading branch information
@janosmiko
janosmiko committed Jan 27, 2025
1 parent 65fb326 commit 9a42da9
Show file tree
Hide file tree
Showing 15 changed files with 197 additions and 71 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/lint-dockerfiles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ jobs:
- name: Run Hadolint
run: |
set -euo pipefail
find ./images/varnish -type f -name "tpl.Dockerfile" -print0 | xargs -I{} -0 /bin/bash -c "echo {}; hadolint <(gomplate -f {} -o -)"
find ./images -type f -name "tpl.Dockerfile" -print0 | xargs -I{} -0 /bin/bash -c "echo {}; hadolint <(gomplate -f {} -o -)"
20 changes: 20 additions & 0 deletions images/nginx/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions images/nginx/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions ...fpm-rootless/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions ...fpm-rootless/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions ...pm-rootless/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions images/php-fpm/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions images/php-fpm/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down
20 changes: 20 additions & 0 deletions images/php-fpm/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
https on;
}

geo $internal_ip {
default 0;
127.0.0.1 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
192.168.0.0/16 1;
}

map $http_x_health_check $health_check {
"internal" 1;
default 0;
}

map $internal_ip$health_check $allowed {
"00" 0;
"01" 1;
"10" 1;
"11" 1;
}

include /etc/nginx/snippets.d/http-*.conf;
include /etc/nginx/snippets/http-*.conf;

Expand Down
18 changes: 8 additions & 10 deletions images/php-fpm/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
location = /healthz/nginx {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
add_header Content-Type text/plain;
return 200 "ok";
}

location ~ ^/healthz/php-fpm(-status)?$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
if ($allowed = 0) {
return 403;
}

access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
Expand Down

0 comments on commit 9a42da9

Please sign in to comment.