From c5ae1903f6a5fffed8181a826224e9fece689bfb Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 12 Feb 2023 13:39:51 -0600
Subject: [PATCH] block metrics access by default

---
 authelia.subdomain.conf.sample   | 4 ++++
 authentik.subdomain.conf.sample  | 4 ++++
 grafana.subdomain.conf.sample    | 4 ++++
 grafana.subfolder.conf.sample    | 4 ++++
 prometheus.subdomain.conf.sample | 4 ++++
 5 files changed, 20 insertions(+)

diff --git a/authelia.subdomain.conf.sample b/authelia.subdomain.conf.sample
index 1a5a0dd..fd06a73 100644
--- a/authelia.subdomain.conf.sample
+++ b/authelia.subdomain.conf.sample
@@ -42,6 +42,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app authelia;
diff --git a/authentik.subdomain.conf.sample b/authentik.subdomain.conf.sample
index fb6a016..7b22778 100644
--- a/authentik.subdomain.conf.sample
+++ b/authentik.subdomain.conf.sample
@@ -38,6 +38,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app authentik-server;
diff --git a/grafana.subdomain.conf.sample b/grafana.subdomain.conf.sample
index b819617..7e1a95e 100644
--- a/grafana.subdomain.conf.sample
+++ b/grafana.subdomain.conf.sample
@@ -62,6 +62,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app grafana;
diff --git a/grafana.subfolder.conf.sample b/grafana.subfolder.conf.sample
index 4d658e0..b6f9a36 100644
--- a/grafana.subfolder.conf.sample
+++ b/grafana.subfolder.conf.sample
@@ -54,6 +54,10 @@ location ^~ /grafana/metrics {
     #auth_basic "Restricted";
     #auth_basic_user_file /config/nginx/.htpasswd;
 
+    # block metrics access by default because it is unprotected
+    # you can comment out the next line to enable remote metrics
+    deny all;
+
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_grafana grafana;
diff --git a/prometheus.subdomain.conf.sample b/prometheus.subdomain.conf.sample
index a0ef8dd..b937208 100644
--- a/prometheus.subdomain.conf.sample
+++ b/prometheus.subdomain.conf.sample
@@ -73,6 +73,10 @@ server {
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
+        # block metrics access by default because it is unprotected
+        # you can comment out the next line to enable remote metrics
+        deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app prometheus;