From b33e861a493cfaf618f6acda54b4c7234afc79c6 Mon Sep 17 00:00:00 2001
From: Ivan Cvitkovic <ivanc@uw.edu>
Date: Thu, 17 Oct 2024 13:32:10 -0700
Subject: [PATCH] Only allow localhost access, temporarily (#7)

---
 dev/alive/docker-compose.yaml    | 6 ++++++
 dev/gateway/docker-compose.yaml  | 6 ++++++
 dev/hymtruth/docker-compose.yaml | 6 ++++++
 dev/mash/docker-compose.yaml     | 6 ++++++
 dev/mstudy/docker-compose.yaml   | 6 ++++++
 dev/radar/docker-compose.yaml    | 7 +++++++
 6 files changed, 37 insertions(+)

diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml
index 611cb4c..71562ac 100644
--- a/dev/alive/docker-compose.yaml
+++ b/dev/alive/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     labels:
       - traefik.enable=true
@@ -32,5 +35,8 @@ services:
       - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
 volumes:
   leaf-alive-mssql:
diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml
index 23873c5..1a91cfd 100644
--- a/dev/gateway/docker-compose.yaml
+++ b/dev/gateway/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     extends:
       file: ../common-services.yaml
@@ -35,6 +38,9 @@ services:
       - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   clin-db:
     extends:
       file: ../common-services.yaml
diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml
index 026f671..9f55f78 100644
--- a/dev/hymtruth/docker-compose.yaml
+++ b/dev/hymtruth/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     labels:
       - traefik.enable=true
@@ -32,5 +35,8 @@ services:
       - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
 volumes:
   leaf-hymtruth-mssql:
diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml
index fcb47ff..951d7b0 100644
--- a/dev/mash/docker-compose.yaml
+++ b/dev/mash/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     labels:
       - traefik.enable=true
@@ -32,5 +35,8 @@ services:
       - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
 volumes:
   leaf-mash-mssql:
diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml
index dd103e5..234bd26 100644
--- a/dev/mstudy/docker-compose.yaml
+++ b/dev/mstudy/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     labels:
       - traefik.enable=true
@@ -32,5 +35,8 @@ services:
       - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
 volumes:
   leaf-mstudy-mssql:
diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml
index 58ef077..92d71de 100644
--- a/dev/radar/docker-compose.yaml
+++ b/dev/radar/docker-compose.yaml
@@ -24,6 +24,9 @@ services:
       - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
   node:
     labels:
       - traefik.enable=true
@@ -32,5 +35,9 @@ services:
       - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.tls=true
       - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 
+      # TODO remove after auth implemented via oauth2-proxy
+      # only allow access from localhost and CIRG IP ranges
+      - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr
+
 volumes:
   leaf-radar-mssql: