systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 17 Activity Actions

Restrict access to headscale OIDC and API
All checks were successful
/ terraform (push) Successful in 29s
Details
/ ansible (push) Successful in 1m33s
Details

Browse source
This commit is contained in:
Jake Howard 2024-01-31 21:40:43 +00:00
parent dfa8328e7b
commit 0c6528f9ca
Signed by: jake
GPG key ID: 57AFB45680EDD477
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
ansible/roles/headscale/files/nginx.conf
View file

@ -1,5 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
server { server {
listen 8888 ssl proxy_protocol; listen 8888 ssl proxy_protocol;
http2 on; http2 on;
@ -14,4 +16,17 @@ server {
location / { location / {
proxy_pass http://localhost:8416; proxy_pass http://localhost:8416;
} }
location /oidc {
# 3 should be enough for the redirect, callback plus 1 error
limit_req zone=headscale burst=3 nodelay;
limit_req_status 429;
proxy_pass http://localhost:8416;
}
# Block access to the API entirely - I'm not using it
location /api {
return 403;
}
} }