C1: bump shower to v1.0.1; collapse WAN admin to tailnet-only
PR review caught that we didn't need an admin login surface on WAN.
App v1.0.1 adds DJANGO_PUBLIC_URL_BASE so QR codes generated from
/host/ (now tailnet-only) still point at shower.eblu.me for guest
phones — that closes the loop and lets us strip the WAN admin surface
entirely.
Container:
- bump version to 1.0.1
- outputHash → fakeHash (build will print the real one)
- entrypoint still does migrate + collectstatic before gunicorn —
the app is small enough that auto-migration is fine
Manifests:
- configmap adds DJANGO_PUBLIC_URL_BASE=https://shower.eblu.me
Fly nginx (shower.eblu.me):
- drop the /admin/(login|logout) carveout
- 403 anything under /admin/ AND /host/ with a "tailnet only" pointer
- drop the shower_auth limit_req zone and \$shower_banned geo
- drop the shower-admin-login fail2ban filter + jail
- drop the shower-deny.conf touch from start.sh
Docs:
- rename how-to docs/how-to/operations/shower-app.md →
shower-on-ringtail.md (mirrors cv-on-indri / docs-on-indri)
- new reference card docs/reference/services/shower-app.md per PR
review comment 2 (≈30s read; quick facts + cross-links)
- rewrite Defense layers section: collapses to general rate limit +
django-axes on the tailnet-side login (the only credential surface)
- rewrite the .infra.md changelog fragment to match
- add a 'Create the admin user' step (kubectl exec createsuperuser)
so first-time deploys aren't locked out
The nginx-deny action's per-jail \`nginx_deny_file\` generalization
stays — harmless future-proofing for the next public service.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
3fa608cb08
commit
702592bcc9
11 changed files with 132 additions and 100 deletions
|
|
@ -20,9 +20,7 @@ COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76f
|
|||
RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data
|
||||
|
||||
COPY fail2ban/filter.d/forge-login.conf /etc/fail2ban/filter.d/forge-login.conf
|
||||
COPY fail2ban/filter.d/shower-admin-login.conf /etc/fail2ban/filter.d/shower-admin-login.conf
|
||||
COPY fail2ban/jail.d/forge.conf /etc/fail2ban/jail.d/forge.conf
|
||||
COPY fail2ban/jail.d/shower.conf /etc/fail2ban/jail.d/shower.conf
|
||||
COPY fail2ban/action.d/nginx-deny.conf /etc/fail2ban/action.d/nginx-deny.conf
|
||||
|
||||
COPY nginx.conf /etc/nginx/nginx.conf
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
# Filter for shower-app /admin/login/ failures via nginx JSON access log.
|
||||
# Matches 401/403/429 responses on the login endpoint, keyed on the
|
||||
# client_ip field (populated from Fly-Client-IP header).
|
||||
#
|
||||
# The 429 case catches attackers who keep hammering after django-axes has
|
||||
# already locked them out — those requests return 429 from
|
||||
# axes.middleware.AxesMiddleware before reaching the view.
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = "client_ip":"<HOST>".*"request_uri":"\/admin\/login[^"]*".*"status":(401|403|429)
|
||||
|
||||
ignoreregex =
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
[shower-admin-login]
|
||||
enabled = true
|
||||
filter = shower-admin-login
|
||||
logpath = /var/log/nginx/access.json.log
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 3600
|
||||
banaction = nginx-deny[nginx_deny_file=/etc/nginx/shower-deny.conf]
|
||||
|
|
@ -34,11 +34,6 @@ http {
|
|||
# bucket. $http_fly_client_ip has the actual client IP.
|
||||
limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
|
||||
|
||||
# Shower-app rate limit on /admin/login/ (the only admin path the public
|
||||
# proxy exposes). 3r/s with django-axes (5 strikes, 1h lockout) gives
|
||||
# plenty of room for a real staff login while making brute-force costly.
|
||||
limit_req_zone $http_fly_client_ip zone=shower_auth:10m rate=3r/s;
|
||||
|
||||
# fail2ban deny list — banned IPs are written here by fail2ban and
|
||||
# checked via the $forge_banned variable. The file is touched at
|
||||
# container start to ensure it exists.
|
||||
|
|
@ -47,13 +42,6 @@ http {
|
|||
include /etc/nginx/forge-deny.conf;
|
||||
}
|
||||
|
||||
# Per-service deny list for the shower app — populated by fail2ban
|
||||
# when /admin/login/ attempts trip the threshold. Same scheme as forge.
|
||||
geo $http_fly_client_ip $shower_banned {
|
||||
default 0;
|
||||
include /etc/nginx/shower-deny.conf;
|
||||
}
|
||||
|
||||
# Proxy cache: 200MB, evict after 24h of no access
|
||||
proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
|
||||
max_size=200m inactive=24h;
|
||||
|
|
@ -300,27 +288,25 @@ http {
|
|||
}
|
||||
}
|
||||
|
||||
# --- shower.eblu.me (dynamic Django: guest splash + raffle/prize console) ---
|
||||
# Public-facing Adelaide baby shower app. Defense layers:
|
||||
# * geo+fail2ban deny list ($shower_banned)
|
||||
# * nginx limit_req on /admin/login/ via the shower_auth zone
|
||||
# * django-axes inside Django (5 fails / 1h lockout per user+IP)
|
||||
# * /admin/ paths blocked at the proxy except /admin/login/ and /admin/logout/
|
||||
# so staff can sign in publicly but the CRUD admin is tailnet-only
|
||||
# --- shower.eblu.me (Adelaide baby shower — guest-only public surface) ---
|
||||
# Only the guest paths (`/`, `/prizes/<token>/`, /static/, /media/) are
|
||||
# exposed on WAN. /host/, /admin/, and Django's login views are blocked
|
||||
# at the edge with a 403 pointing at the tailnet hostname — staff sign
|
||||
# in on shower.ops.eblu.me, which is reachable from any device with
|
||||
# Tailscale installed. Defense layers reduce to: general per-IP rate
|
||||
# limit + django-axes (5 fails / 1h) on the tailnet-side login. No
|
||||
# fail2ban needed here because the public surface no longer takes
|
||||
# credentials of any kind.
|
||||
server {
|
||||
listen 8080;
|
||||
server_name shower.eblu.me;
|
||||
|
||||
# Block fail2ban-banned IPs
|
||||
if ($shower_banned) {
|
||||
return 403 "Temporarily blocked. Try again later.\n";
|
||||
}
|
||||
|
||||
# General per-IP rate limit (cushion for the splash page + form posts)
|
||||
limit_req zone=general burst=20 nodelay;
|
||||
|
||||
# Image uploads from /host/'s prize cropper are ~150-300 KiB JPEGs;
|
||||
# 5 MiB matches the Django-side cap.
|
||||
# Image uploads from /host/'s prize cropper are ~150-300 KiB JPEGs.
|
||||
# The host page itself isn't reachable here, but /media/ reads can
|
||||
# be larger than 1 MiB so set the cap to 5 MiB to match Django.
|
||||
client_max_body_size 5m;
|
||||
|
||||
# Security headers — HSTS matches Django's SECURE_HSTS_SECONDS.
|
||||
|
|
@ -328,6 +314,8 @@ http {
|
|||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
# GNU Terry Pratchett — keep the name moving.
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
||||
|
||||
error_page 502 503 504 /error.html;
|
||||
location = /error.html {
|
||||
|
|
@ -335,38 +323,24 @@ http {
|
|||
internal;
|
||||
}
|
||||
|
||||
# GNU Terry Pratchett — keep the name moving.
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
|
||||
|
||||
# Reject indexers — there's nothing here we want crawled.
|
||||
location = /robots.txt {
|
||||
default_type text/plain;
|
||||
return 200 "User-agent: *\nDisallow: /\n";
|
||||
}
|
||||
|
||||
# Public admin surface: only the login/logout endpoints, rate-limited.
|
||||
location ~ ^/admin/(login|logout)/? {
|
||||
limit_req zone=shower_auth burst=5 nodelay;
|
||||
|
||||
proxy_pass https://indri_backend$request_uri;
|
||||
proxy_ssl_verify off;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name shower.ops.eblu.me;
|
||||
proxy_intercept_errors on;
|
||||
|
||||
proxy_set_header Host shower.ops.eblu.me;
|
||||
proxy_set_header X-Real-IP $http_fly_client_ip;
|
||||
proxy_set_header X-Forwarded-For $http_fly_client_ip;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
# Admin surface: tailnet-only. Anything under /admin/ — login,
|
||||
# logout, CRUD UI, password reset — returns 403 with a pointer to
|
||||
# the tailnet host. Django's `staff_member_required` will redirect
|
||||
# /host/ to /admin/login/, which lands on this 403 if a guest
|
||||
# device wanders into it. Staff hit the tailnet host directly.
|
||||
location /admin/ {
|
||||
return 403 "Authentication is tailnet-only — visit shower.ops.eblu.me.\n";
|
||||
}
|
||||
|
||||
# Block the rest of /admin/ at the public edge. The admin CRUD UI
|
||||
# is only reachable via shower.ops.eblu.me on the tailnet.
|
||||
location /admin/ {
|
||||
return 403 "The Django admin is tailnet-only — visit shower.ops.eblu.me.\n";
|
||||
# Operator console: tailnet-only. Same rationale as /admin/.
|
||||
location /host/ {
|
||||
return 403 "The host console is tailnet-only — visit shower.ops.eblu.me.\n";
|
||||
}
|
||||
|
||||
location / {
|
||||
|
|
|
|||
|
|
@ -19,10 +19,9 @@ until nslookup forge.tail8d86e.ts.net 100.100.100.100 > /dev/null 2>&1; do
|
|||
done
|
||||
echo "MagicDNS ready"
|
||||
|
||||
# Ensure fail2ban per-service deny files exist before nginx starts
|
||||
# Ensure fail2ban deny file exists before nginx starts
|
||||
# (the geo directive's `include` fails if the file is missing).
|
||||
touch /etc/nginx/forge-deny.conf
|
||||
touch /etc/nginx/shower-deny.conf
|
||||
|
||||
# Start nginx — MagicDNS is available, upstreams resolved.
|
||||
nginx -g "daemon off;" &
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue