configure Nginx proxy for use with ssl-proxy

Otherwise we can't block access to certain sensitive paths like `/metrics`. https://github.com/status-im/infra-hq/issues/73 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-19 16:04:21 +00:00 · 2022-03-30 15:53:25 +02:00 · 2022-03-30 15:53:25 +02:00 · a57950a038
commit a57950a038
parent 453b263999
6 changed files with 44 additions and 9 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -7,11 +7,12 @@ grafana_version: '8.4.3'
 grafana_image: 'grafana/grafana:{{ grafana_version }}'
 grafana_cont_name: '{{ grafana_service_name }}'
 grafana_cont_vol: '{{ grafana_service_path }}/data'
-grafana_port: 9400
 # see: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later
 grafana_cont_uid: 472
 # Permission adjust for dockremap.
 grafana_host_uid: '{{ 100000 + grafana_cont_uid | int }}'
+grafana_cont_port: 9400
+grafana_proxy_port: 8780

 # Public domain
 grafana_domain: ~
--- a/tasks/consul.yml
+++ b/tasks/consul.yml
@ -4,11 +4,26 @@
  vars:
    consul_config_name: '{{ grafana_service_name }}'
    consul_services:
-      - name: '{{ grafana_service_name }}'
-        tags: ['monitor', 'grafana']
-        port: '{{ grafana_port }}'
+      - id:   '{{ grafana_service_name }}:{{ grafana_domain }}'
+        name: '{{ grafana_service_name }}'
+        tags: ['grafana', 'monitor']
+        port: '{{ grafana_cont_port }}'
+        address: '{{ ansible_local.wireguard.vpn_ip }}'
        checks:
          - id: '{{ grafana_service_name }}-health'
-            name: 'Grafana current health'
+            name: 'Grafana Health'
            type: 'http'
-            http: 'http://localhost:{{ grafana_port }}/api/health'
+            http: 'http://localhost:{{ grafana_cont_port }}/api/health'
+
+      - id:   '{{ grafana_service_name }}-proxy:{{ grafana_domain }}'
+        name: '{{ grafana_service_name }}-proxy'
+        tags: ['grafana', 'monitor', 'ssl-proxy-backend']
+        port: '{{ grafana_proxy_port }}'
+        address: '{{ ansible_local.wireguard.vpn_ip }}'
+        meta:
+          proxy_fqdn: '{{ grafana_domain | mandatory }}'
+        checks:
+          - id: '{{ grafana_service_name }}-proxy-health'
+            name: 'Grafana Proxy Health'
+            type: 'http'
+            http: 'http://localhost:{{ grafana_proxy_port }}/health'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,4 +1,5 @@
 ---
 - import_tasks: config.yml
 - import_tasks: docker.yml
+- import_tasks: proxy.yml
 - import_tasks: consul.yml
--- a/tasks/proxy.yml
+++ b/tasks/proxy.yml
@ -0,0 +1,18 @@
+---
+# Necessary to hide a few sensitive paths
+- name: Configure Nginx proxy
+  include_role: name=nginx
+  vars:
+    nginx_sites:
+      grafana_ssl_backend:
+        - listen {{ grafana_proxy_port }}
+
+        - location /health { return 200; }
+        - location /avatar { return 401; }
+        - location /metrics { return 401; }
+        - location /api/health { return 401; }
+
+        - location / {
+            proxy_set_header Host $http_host;
+            proxy_pass http://127.0.0.1:{{ grafana_cont_port }}/;
+          }
--- a/templates/docker-compose.yml.j2
+++ b/templates/docker-compose.yml.j2
@ -6,12 +6,12 @@ services:
    image: '{{ grafana_image }}'
    restart: always
    ports:
-      - '127.0.0.1:{{ grafana_port }}:{{ grafana_port }}'
+      - '127.0.0.1:{{ grafana_cont_port }}:{{ grafana_cont_port }}'
    volumes:
      - '{{ grafana_cont_vol }}/lib:/var/lib/grafana'
      - '{{ grafana_cont_vol }}/etc:/etc/grafana'
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:{{ grafana_port }}/api/health"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:{{ grafana_cont_port }}/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
--- a/templates/grafana.ini.j2
+++ b/templates/grafana.ini.j2
@ -1,5 +1,5 @@
 [server]
-http_port = {{ grafana_port }}
+http_port = {{ grafana_cont_port }}
 domain = {{ grafana_domain | mandatory }}/
 root_url = https://{{ grafana_domain | mandatory }}/