Merge pull request #16 from KoalaSat/patch-2

Block admin access in public onion
RoboSats · Aug 2, 2024 · 5239425 · 5239425
2 parents 5c2165f + 8d5e245
commit 5239425
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 3 deletions.
diff --git a/compose/backup/Dockerfile b/compose/backup/Dockerfile
@@ -3,8 +3,8 @@ FROM debian:bullseye-slim
 RUN apt update
 RUN apt-get install rsync -y
 
-WORKDIR /usr/src/backup.sh
+COPY backup.sh /usr/src
 
-COPY backup.sh /usr/src/backup.sh
+WORKDIR /usr/src
 
 CMD ["bash","backup.sh"]
diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml
@@ -152,8 +152,9 @@ services:
   #     NETWORK: ${NETWORK}
   #   volumes:
   #     - ${DATABASE}:/running/database:ro
-  #     - ${BITCOIN_DATA}:/running/bitcoin:ro
+  #     - ${BITCOIN_CONF:?}:/running/bitcoin/bitcoin.conf:ro
   #     - ${LND_DATA}:/running/lnd:ro
+  #     - ${LND_CONF}:/running/lnd/lnd.conf:ro
   #     - ${LIT_DATA}:/running/lit:ro
   #     - ${STATIC}:/running/static:ro
   #     - ${BU_DIR1}:/backup1

diff --git a/compose/env-sample/lndtn/torrc b/compose/env-sample/lndtn/torrc
@@ -17,6 +17,10 @@ HiddenServiceVersion 3
 HiddenServicePort 80 127.0.0.1:80
 
 # Robosats Admin Testnet Onion Service
+HiddenServiceDir /var/lib/tor/robotest-admin/
+HiddenServiceVersion 3
+HiddenServicePort 80 127.0.0.1:80
+
 HiddenServiceDir /var/lib/tor/robotest-thunderhub/
 HiddenServiceVersion 3
 HiddenServicePort 80 127.0.0.1:3000

diff --git a/compose/nginx/mn.conf.d/local.conf b/compose/nginx/mn.conf.d/local.conf
@@ -41,6 +41,20 @@ server {
         limit_req zone=tenpersec burst=10;
     }
 
+    location /coordinator {
+        # Blocks admin access from the public onion address
+        if ($host ~* "robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion") {
+            return 403;  # Forbidden
+        }
+
+        proxy_pass http://robosats_gunicorn_rest;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+        # Replace with the onion hidden service of your coordinator
+        add_header Onion-Location https://robosats6tkf3eva7x2voqso3a5wcorsnw34jveyxfqi2fu7oyheasid.onion$request_uri;
+
+    }
 
     location /ws/ {
 	# websockets are passed to Daphne

diff --git a/compose/nginx/tn.conf.d/local.conf b/compose/nginx/tn.conf.d/local.conf
@@ -40,6 +40,21 @@ server {
         limit_req zone=fivepersec burst=10;
     }
 
+    location /coordinator {
+        # Blocks admin access from the public onion address
+        if ($host ~* "robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion") {
+            return 403;  # Forbidden
+        }
+
+	proxy_pass http://robosats_gunicorn_rest;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+        # Replace with the onion hidden service of your coordinator
+        add_header Onion-Location https://robotestagw3dcxmd66r4rgksb4nmmr43fh77bzn2ia2eucduyeafnyd.onion$request_uri;
+
+    }
+
     location /ws/ {
 	    # websockets are passed to Daphne
         proxy_pass http://robosats_daphne_websocket;