block access to the go /debug/pprof/ endpoint

2022-08-19 07:26:01 +02:00 · 2022-08-19 07:26:01 +02:00 · aa5c7ff8b4
parent 0113b9a565
commit aa5c7ff8b4
4 changed files with 15 additions and 3 deletions
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@ -82,6 +82,9 @@ def nginx(metadata):
                        '/': {
                            'target': 'http://127.0.0.1:22000',
                        },
+                        '/debug': {
+                            'return': 403,
+                        },
                    },
                    'website_check_path': '/user/login',
                    'website_check_string': 'Sign In',
--- a/bundles/matrix-synapse/metadata.py
+++ b/bundles/matrix-synapse/metadata.py
@ -89,7 +89,7 @@ def nginx(metadata):

    wellknown = {
        '/.well-known/matrix/client': {
-            'return': dumps({
+            'content': dumps({
                'm.homeserver': {
                    'base_url': 'https://{}'.format(metadata.get('matrix-synapse/baseurl')),
                },
@ -98,15 +98,17 @@ def nginx(metadata):
                },
                **metadata.get('matrix-synapse/additional_client_config', {}),
            }, sort_keys=True),
+            'return': 200,
            'additional_config': {
                'default_type application/json',
                'add_header Access-Control-Allow-Origin *',
            },
        },
        '/.well-known/matrix/server': {
-            'return': dumps({
+            'content': dumps({
                'm.server':  '{}:443'.format(metadata.get('matrix-synapse/baseurl')),
            }, sort_keys=True),
+            'return': 200,
            'additional_config': {
                'default_type application/json',
                'add_header Access-Control-Allow-Origin *',
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -122,7 +122,11 @@ server {
 %   elif 'redirect' in options:
        return ${options.get('mode', 308)} ${options['redirect']};
 %   elif 'return' in options:
-        return ${options.get('mode', 200)} '${options['return']}';
+%    if options.get('content'):
+        return ${options['return']} '${options['content']}';
+%    else:
+        return ${options['return']};
+%    endif
 %   elif 'root' in options:
        root ${options['root']};
 %   elif 'alias' in options:
--- a/nodes/htz-cloud/influxdb.py
+++ b/nodes/htz-cloud/influxdb.py
@ -47,6 +47,9 @@ nodes['htz-cloud.influxdb'] = {
                            'target': 'http://localhost:8086',
                            'websockets': True,
                        },
+                        '/debug': {
+                            'return': 403,
+                        },
                    },
                },
            },