diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-11-16 00:57:32 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-11-16 00:57:32 +0100 |
commit | 4948782947d68eb09c7c1b6a07991978035e7ff1 (patch) | |
tree | 69589171e2df27da46cb324ab8e4415b243c0bd2 /inventory | |
parent | ch-mon: monitoring services and landingpage now use new sso (diff) |
ch-mon: add firewall to protect grafana with auth.proxy form localhost attackers
Diffstat (limited to 'inventory')
-rw-r--r-- | inventory/host_vars/ch-mon.yml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index cb5bcfed..2e8ca38a 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -57,6 +57,15 @@ spreadspace_apt_repo_components: - prometheus +nftables_base_rules: + protect-grafana-auth-proxy: | + table inet filter { + chain protect-grafana-auth-proxy { + type filter hook output priority filter; policy accept; + meta skuid != { root, www-data } tcp dport 3000 counter reject + } + } + whawty_nginx_sso_backends: chaos-at-home: port: 1234 |