From e923048e76ff1d3947275ffbd44af764c562f3b1 Mon Sep 17 00:00:00 2001 From: ltp Date: Thu, 22 Aug 2024 19:39:18 -0300 Subject: [PATCH 1/4] restrict access to metrics endpoint in subdomain https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics --- jellyfin.subdomain.conf.sample | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/jellyfin.subdomain.conf.sample b/jellyfin.subdomain.conf.sample index 479ca30..da0c45b 100644 --- a/jellyfin.subdomain.conf.sample +++ b/jellyfin.subdomain.conf.sample @@ -37,4 +37,22 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; } + + # Restrict access to /metrics + # https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics + location /jellyfin/metrics { + allow 192.168.0.0/16; + allow 10.0.0.0/8; + allow 172.16.0.0/12 + allow 127.0.0.0/8; + + deny all; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app jellyfin; + set $upstream_port 8096; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } } From 41d2b0c17a55425c3cfad044f01cef54f3b04450 Mon Sep 17 00:00:00 2001 From: ltp Date: Thu, 22 Aug 2024 20:03:06 -0300 Subject: [PATCH 2/4] update version --- jellyfin.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jellyfin.subdomain.conf.sample b/jellyfin.subdomain.conf.sample index da0c45b..95c7f81 100644 --- a/jellyfin.subdomain.conf.sample +++ b/jellyfin.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2024/07/16 +## Version 2024/08/22 # make sure that your jellyfin container is named jellyfin # make sure that your dns has a cname set for jellyfin # if jellyfin is running in bridge mode and the container is named "jellyfin", the below config should work as is From 5ab73be89b3b00f8a056311d160c059453f3c8fe Mon Sep 17 00:00:00 2001 From: ltp Date: Thu, 22 Aug 2024 20:06:49 -0300 Subject: [PATCH 3/4] fix missing semi colon --- jellyfin.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jellyfin.subdomain.conf.sample b/jellyfin.subdomain.conf.sample index 95c7f81..ffc92c4 100644 --- a/jellyfin.subdomain.conf.sample +++ b/jellyfin.subdomain.conf.sample @@ -43,7 +43,7 @@ server { location /jellyfin/metrics { allow 192.168.0.0/16; allow 10.0.0.0/8; - allow 172.16.0.0/12 + allow 172.16.0.0/12; allow 127.0.0.0/8; deny all; From 7efa252e1316f760a2e644d56ed76a5d5e44fcef Mon Sep 17 00:00:00 2001 From: ltp Date: Fri, 23 Aug 2024 09:44:11 -0300 Subject: [PATCH 4/4] fix metrics path --- jellyfin.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jellyfin.subdomain.conf.sample b/jellyfin.subdomain.conf.sample index ffc92c4..36d1e73 100644 --- a/jellyfin.subdomain.conf.sample +++ b/jellyfin.subdomain.conf.sample @@ -40,7 +40,7 @@ server { # Restrict access to /metrics # https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics - location /jellyfin/metrics { + location /metrics { allow 192.168.0.0/16; allow 10.0.0.0/8; allow 172.16.0.0/12;