From de89a582448d80bc0a84685e1f336aa612401afd Mon Sep 17 00:00:00 2001
From: Daniel Kuruc <daniel@kuruc.dev>
Date: Thu, 21 Jan 2021 23:30:34 +0100
Subject: [PATCH] Improve default templates, mostly by adding ACLs

---
 python/docker_network_monitor/templates/80.j2      | 14 +++++++++++---
 python/docker_network_monitor/templates/default.j2 |  8 +++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/python/docker_network_monitor/templates/80.j2 b/python/docker_network_monitor/templates/80.j2
index 1444d99..4b7e09a 100644
--- a/python/docker_network_monitor/templates/80.j2
+++ b/python/docker_network_monitor/templates/80.j2
@@ -1,7 +1,15 @@
 listen docker-{{ hostname }}
-  bind *:443  interface eth0
-  bind *:80   interface eth0
   mode http
-  option forwardfor
+  bind *:80 interface eth0
+
+  # SSL
+  bind *:443 interface eth0
   redirect scheme https code 301 if !{ ssl_fc }
+
+  # Allow only requests for a valid FQDN
+  acl is_{{ hostname }} hdr(host) -i "{{ hostname }}.${DOMAIN_NAME}"
+  tcp-request content accept if is_{{ hostname }}
+  tcp-request content reject
+
+  option forwardfor
   server {{ hostname }} {{ ip }}:{{ target_port }}
diff --git a/python/docker_network_monitor/templates/default.j2 b/python/docker_network_monitor/templates/default.j2
index 945e416..e35dcb2 100644
--- a/python/docker_network_monitor/templates/default.j2
+++ b/python/docker_network_monitor/templates/default.j2
@@ -1,4 +1,10 @@
 listen docker-{{ hostname }}
-  bind *:{{ source_port }} interface eth0
   mode tcp
+  bind *:{{ source_port }} interface eth0
+
+  # Allow only requests for a valid FQDN
+  acl is_{{ hostname }} hdr(host) -i "{{ hostname }}.${DOMAIN_NAME}"
+  tcp-request content accept if is_{{ hostname }}
+  tcp-request content reject
+
   server {{ hostname }} {{ ip }}:{{ target_port }}