machankura/mempool
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ops: Implement ACL for internal APIs

Browse Source
This commit is contained in:
wiz 2024-02-27 11:45:35 +09:00
parent 43fde86e9d
commit e918e1fdab
No known key found for this signature in database
GPG Key ID: A394E332255A6173
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
production/nginx/http-acl.conf Normal file
View File

@ -0,0 +1,6 @@
# used for "internal" API restriction
geo $remote_addr $mempool_external {
127.0.0.1 '';
::1 '';
default 1;
}

7
production/nginx/location-api.conf
View File

@ -4,10 +4,17 @@
# Block the internal APIs of esplora # Block the internal APIs of esplora
location /api/internal/ { location /api/internal/ {
if ($mempool_external) {
return 403; return 403;
}
rewrite ^/api/(.*) /$1 break;
try_files /dev/null @esplora-api-cache-disabled;
} }
location /api/v1/internal/ { location /api/v1/internal/ {
if ($mempool_external) {
return 403; return 403;
}
try_files /dev/null @mempool-api-v1-cache-normal;
} }
# websocket has special HTTP headers # websocket has special HTTP headers

1
production/nginx/nginx.conf
View File

@ -19,6 +19,7 @@ http {
# HTTP basic configuration # HTTP basic configuration
include mempool/production/nginx/http-basic.conf; include mempool/production/nginx/http-basic.conf;
include mempool/production/nginx/http-acl.conf;
include mempool/production/nginx/http-proxy-cache.conf; include mempool/production/nginx/http-proxy-cache.conf;
include mempool/production/nginx/http-language.conf; include mempool/production/nginx/http-language.conf;