PHRAS-4117 remove gateway /status and /ping page direct access (#4571)

moctardiouf · web-flow · commit 026d61e52fc3 · 2025-01-09T14:57:49.000+01:00
* PHRAS-4117 remove gateway /status and /ping page direct access

* PHRAS-4117 fix typo

* PHRAS-4117 add ip management
diff --git a/.env b/.env
@@ -313,6 +313,10 @@ GATEWAY_DENIED_IPS=
 # @run
 GATEWAY_USERS=
 
+# Status and ping access Allowed IPs: Comma-separated list of IP addresses that are allowed to access the /status or /ping pages.
+# Uncomment and specify IPs to enable. Example: GATEWAY_STATUS_ALLOWED_IPS=10.0.0.1,10.0.1.1
+# @run
+GATEWAY_STATUS_ALLOWED_IPS=
 
 # HTTP requests quota management.
 # Manage http incoming request limits by verbs using the "ngx_http_limit_req_module" module.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -35,6 +35,7 @@ services:
     - GATEWAY_ALLOWED_IPS                      
     - GATEWAY_DENIED_IPS 
     - GATEWAY_USERS
+    - GATEWAY_STATUS_ALLOWED_IPS
     - GATEWAY_CSP
     - HTTP_REQUEST_LIMITS
     - HTTP_READ_REQUEST_LIMIT_MEMORY
diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh
@@ -65,6 +65,7 @@ fi
 #GATEWAY_DENIED_IPS="172.1.0.1,172.1.0.2"
 #GATEWAY_USERS="user1(password1),user2(password2)
 touch /etc/nginx/restrictions
+touch /etc/nginx/status_allowed_ip
 touch /etc/nginx/.htpasswd
 
 if [[ ! -z $GATEWAY_ALLOWED_IPS ]] || [[ ! -z $GATEWAY_DENIED_IPS ]] || [[ ! -z $GATEWAY_USERS ]]; then
@@ -89,7 +90,16 @@ if [[ ! -z $GATEWAY_ALLOWED_IPS ]] || [[ ! -z $GATEWAY_DENIED_IPS ]] || [[ ! -z
             echo "deny all;" >> /etc/nginx/restrictions
     fi
 fi
+
+if [[ ! -z $GATEWAY_STATUS_ALLOWED_IPS ]]; then
+    for status_ip_allowed in $(echo $GATEWAY_STATUS_ALLOWED_IPS | sed "s/,/ /g")
+        do
+            echo "allow $status_ip_allowed;" >> /etc/nginx/status_allowed_ip
+        done
+fi
+
 unset GATEWAY_USERS
 unset GATEWAY_DENIED_IPS
 unset GATEWAY_ALLOWED_IPS
+unset GATEWAY_STATUS_ALLOWED_IPS
 exec "$@"
diff --git a/docker/nginx/root/nginx.conf.sample b/docker/nginx/root/nginx.conf.sample
@@ -62,6 +62,8 @@ server {
         include fastcgi_params;
         include fastcgi_extended_params;
         fastcgi_pass backend;
+        include status_allowed_ip;
+        deny  all;
     }
 
     location  /simplesaml/ {

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,8 @@ server {`
`62`	`62`	`include fastcgi_params;`
`63`	`63`	`include fastcgi_extended_params;`
`64`	`64`	`fastcgi_pass backend;`
	`65`	`+ include status_allowed_ip;`
	`66`	`+ deny all;`
`65`	`67`	`}`
`66`	`68`
`67`	`69`	`location /simplesaml/ {`