From 9a42da97f596b8fa435859e92959f244e3f29874 Mon Sep 17 00:00:00 2001
From: Janos Miko <mixe3y@gmail.com>
Date: Mon, 27 Jan 2025 11:08:21 +0100
Subject: [PATCH] fix: allow health checks from internal ips only

---
 .github/workflows/lint-dockerfiles.yml        |  2 +-
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 .../etc/nginx/conf.d/default.conf.template    | 20 +++++++++++++++++++
 .../snippets.d/server-status.conf.template    | 18 ++++++++---------
 15 files changed, 197 insertions(+), 71 deletions(-)

diff --git a/.github/workflows/lint-dockerfiles.yml b/.github/workflows/lint-dockerfiles.yml
index 924ac878..fa6eaa88 100644
--- a/.github/workflows/lint-dockerfiles.yml
+++ b/.github/workflows/lint-dockerfiles.yml
@@ -33,4 +33,4 @@ jobs:
       - name: Run Hadolint
         run: |
           set -euo pipefail
-          find ./images/varnish -type f -name "tpl.Dockerfile" -print0 | xargs -I{} -0 /bin/bash -c "echo {}; hadolint <(gomplate -f {} -o -)"
+          find ./images -type f -name "tpl.Dockerfile" -print0 | xargs -I{} -0 /bin/bash -c "echo {}; hadolint <(gomplate -f {} -o -)"
diff --git a/images/nginx/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/nginx/context/rootfs/etc/nginx/conf.d/default.conf.template
index 35c86170..6fea4cdd 100644
--- a/images/nginx/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/nginx/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -71,6 +71,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/nginx/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/nginx/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/nginx/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/nginx/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index 266b11ff..c9b3a937 100644
--- a/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -68,6 +68,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm-rootless/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index 806ea2f0..696f0a7a 100644
--- a/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm-rootless/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index ea776551..bb58adf5 100644
--- a/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm-rootless/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index 266b11ff..c9b3a937 100644
--- a/images/php-fpm/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm/magento2-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -68,6 +68,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm/magento2-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index 806ea2f0..696f0a7a 100644
--- a/images/php-fpm/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm/shopware-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm/shopware-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;
diff --git a/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template b/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
index ea776551..bb58adf5 100644
--- a/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
+++ b/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/conf.d/default.conf.template
@@ -32,6 +32,26 @@ map $http_x_forwarded_proto $fastcgi_https {
     https on;
 }
 
+geo $internal_ip {
+    default 0;
+    127.0.0.1 1;
+    10.0.0.0/8 1;
+    172.16.0.0/12 1;
+    192.168.0.0/16 1;
+}
+
+map $http_x_health_check $health_check {
+    "internal" 1;
+    default 0;
+}
+
+map $internal_ip$health_check $allowed {
+    "00" 0;
+    "01" 1;
+    "10" 1;
+    "11" 1;
+}
+
 include /etc/nginx/snippets.d/http-*.conf;
 include /etc/nginx/snippets/http-*.conf;
 
diff --git a/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template b/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
index a92b3421..e670f139 100644
--- a/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
+++ b/images/php-fpm/wordpress-web/context/rootfs/etc/nginx/snippets.d/server-status.conf.template
@@ -1,20 +1,18 @@
 location = /healthz/nginx {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     add_header Content-Type text/plain;
     return 200 "ok";
 }
 
 location ~ ^/healthz/php-fpm(-status)?$ {
-    allow 127.0.0.1;
-    allow 10.0.0.0/8;
-    allow 172.16.0.0/12;
-    allow 192.168.0.0/16;
-    deny all;
+    if ($allowed = 0) {
+        return 403;
+    }
+
     access_log off;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_index index.php;