From e923048e76ff1d3947275ffbd44af764c562f3b1 Mon Sep 17 00:00:00 2001
From: ltp <leo@ltp.pt>
Date: Thu, 22 Aug 2024 19:39:18 -0300
Subject: [PATCH] restrict access to metrics endpoint in subdomain

https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics
---
 jellyfin.subdomain.conf.sample | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/jellyfin.subdomain.conf.sample b/jellyfin.subdomain.conf.sample
index 479ca30..da0c45b 100644
--- a/jellyfin.subdomain.conf.sample
+++ b/jellyfin.subdomain.conf.sample
@@ -37,4 +37,22 @@ server {
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
 
     }
+
+    # Restrict access to /metrics
+    # https://jellyfin.org/docs/general/networking/monitoring/#prometheus-metrics
+    location /jellyfin/metrics {
+        allow 192.168.0.0/16;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12
+        allow 127.0.0.0/8;
+
+        deny all;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app jellyfin;
+        set $upstream_port 8096;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
 }