Restrict access to headscale OIDC and API

2024-01-31 21:40:43 +00:00 · 2024-01-31 21:40:43 +00:00 · 0c6528f9ca
commit 0c6528f9ca
parent dfa8328e7b
1 changed files with 15 additions and 0 deletions
--- a/ansible/roles/headscale/files/nginx.conf
+++ b/ansible/roles/headscale/files/nginx.conf
@ -1,5 +1,7 @@
 # {{ ansible_managed }}

+limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
+
 server {
    listen 8888 ssl proxy_protocol;
    http2 on;
@ -14,4 +16,17 @@ server {
    location / {
        proxy_pass http://localhost:8416;
    }
+
+    location /oidc {
+        # 3 should be enough for the redirect, callback plus 1 error
+        limit_req zone=headscale burst=3 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://localhost:8416;
+    }
+
+    # Block access to the API entirely - I'm not using it
+    location /api {
+        return 403;
+    }
 }