From 279c2985c78f537572d47a7e5fe863939ea8d535 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sat, 29 Mar 2025 13:28:41 +0000
Subject: [PATCH] Block external access to Go debug handlers

---
 .../templates/config/snippets/site-common.conf               | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/float-infra-nginx/templates/config/snippets/site-common.conf b/roles/float-infra-nginx/templates/config/snippets/site-common.conf
index 905d18bd..a3d67645 100644
--- a/roles/float-infra-nginx/templates/config/snippets/site-common.conf
+++ b/roles/float-infra-nginx/templates/config/snippets/site-common.conf
@@ -57,6 +57,11 @@ location = /metrics {
 	return 403;
 }
 
+# Block external access to Golang /debug handlers.
+location /debug/ {
+	return 403;
+}
+
 # Add services that handle well-known URLs.
 {% for service_name, service in services | dictsort %}
 {% for ep in service.get('horizontal_endpoints', []) %}
-- 
GitLab