Filter CNs of client certificates for Prometheus

python-discord · Jun 2, 2024 · 92b88c0 · 92b88c0
1 parent bc4ac7a
commit 92b88c0
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/ansible/host_vars/lovelace/nginx.yml b/ansible/host_vars/lovelace/nginx.yml
@@ -13,6 +13,14 @@ nginx_configs:
       ssl_verify_client       on;
 
       location / {
+        if ($reject) { return 403; }
+
         proxy_pass http://localhost:9090;
       }
     }
+
+    map $ssl_client_s_dn $reject {
+      default 1;
+      CN=sudo.access.tls.pydis.wtf 0;
+      CN=prometheus.access.tls.pydis.wtf 0;
+    }