From 6c182e8409e5fca5e1807161cbf11d266984c51e Mon Sep 17 00:00:00 2001
From: Tobias Manske <tobias.manske@mailbox.org>
Date: Sun, 9 Apr 2023 22:10:16 +0200
Subject: [PATCH] Block external access to /metrics endpoint by regex replace

---
 .../roles/compose_project/templates/traefik/dynamic.yaml      | 4 ++++
 .../roles/compose_project/templates/traefik/traefik.yaml      | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/coreos-config/roles/compose_project/templates/traefik/dynamic.yaml b/coreos-config/roles/compose_project/templates/traefik/dynamic.yaml
index 00cf8d4..38f4a87 100644
--- a/coreos-config/roles/compose_project/templates/traefik/dynamic.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/dynamic.yaml
@@ -26,3 +26,7 @@ http:
         middlewares:
           - oauth-errors
           - oauth-auth
+    deny-metrics:
+      replacePathRegex:
+        regex: "^/metrics$"
+        replacement: "/"
diff --git a/coreos-config/roles/compose_project/templates/traefik/traefik.yaml b/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
index abc12b5..f1c1914 100644
--- a/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
+++ b/coreos-config/roles/compose_project/templates/traefik/traefik.yaml
@@ -20,6 +20,8 @@ entryPoints:
     http:
       tls:
         certResolver: letsencrypt
+      middlewares:
+        - deny-metrics@file
 
 certificatesResolvers:
   letsencrypt: