From 0c6528f9ca8266e7e15b3d6953b6a574b89b3131 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 31 Jan 2024 21:40:43 +0000
Subject: [PATCH] Restrict access to headscale OIDC and API

---
 ansible/roles/headscale/files/nginx.conf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ansible/roles/headscale/files/nginx.conf b/ansible/roles/headscale/files/nginx.conf
index 9947c34..4b9ef7e 100644
--- a/ansible/roles/headscale/files/nginx.conf
+++ b/ansible/roles/headscale/files/nginx.conf
@@ -1,5 +1,7 @@
 # {{ ansible_managed }}
 
+limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
+
 server {
     listen 8888 ssl proxy_protocol;
     http2 on;
@@ -14,4 +16,17 @@ server {
     location / {
         proxy_pass http://localhost:8416;
     }
+
+    location /oidc {
+        # 3 should be enough for the redirect, callback plus 1 error
+        limit_req zone=headscale burst=3 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://localhost:8416;
+    }
+
+    # Block access to the API entirely - I'm not using it
+    location /api {
+        return 403;
+    }
 }