Add IP restriction for web servers (#10)

clwluvw · web-flow · commit 0d53e53399e5 · 2020-08-20T16:19:53.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ ENHANCEMENTS:
 
 *   Improve configuration templating capabilities:
     *   Allow setting `access_log`/`access_log_location` to `off`.
+    *   Add IP restriction for web servers
 
 ## 0.1.0 (August 19, 2020)
 
diff --git a/defaults/main/template.yml b/defaults/main/template.yml
@@ -150,6 +150,10 @@ nginx_config_http_template:
               auth_basic: null
               auth_basic_user_file: null
               try_files: $uri $uri/index.html $uri.html =404
+              # allows:
+              #   - 192.168.1.0/24
+              # denies:
+              #   - all
               # auth_request: /auth
               # auth_request_set:
               #   name: $auth_user
diff --git a/molecule/common/playbooks/default_converge.yml b/molecule/common/playbooks/default_converge.yml
@@ -324,6 +324,10 @@
                       html_file_location: /usr/share/nginx/html
                       html_file_name: backend_index.html
                       autoindex: false
+                      allows:
+                        - 192.168.1.0/24
+                      denies:
+                        - all
                     php:
                       location: ~ \.php$
                       html_file_location: /usr/share/nginx/html
diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2
@@ -218,6 +218,16 @@ server {
 {% if item.value.servers[server].reverse_proxy.locations[location].auth_basic_user_file is defined and item.value.servers[server].reverse_proxy.locations[location].auth_basic_user_file %}
         auth_basic_user_file {{ item.value.servers[server].reverse_proxy.locations[location].auth_basic_user_file }};
 {% endif %}
+{% if item.value.servers[server].web_server.locations[location].allows is defined %}
+{% for allow in item.value.servers[server].web_server.locations[location].allows %}
+        allow {{ allow }};
+{% endfor %}
+{% endif %}
+{% if item.value.servers[server].web_server.locations[location].denies is defined %}
+{% for deny in item.value.servers[server].web_server.locations[location].denies %}
+        deny {{ deny }};
+{% endfor %}
+{% endif %}
 {% if item.value.servers[server].reverse_proxy.locations[location].returns is defined %}
 {% for code in item.value.servers[server].reverse_proxy.locations[location].returns %}
 {% if item.value.servers[server].reverse_proxy.locations[location].returns[code] is defined %}
