submission: move non-loopback request check to nginx

Using nginx is more flexible way to set, which clients
can submit match reports.

README.md

@@ -31,27 +31,20 @@ Usually it is used with [feeder](https://github.com/em92/qlstats-feeder-mini) ba
 
 For qllr itself:
 
-* Python 3.7 with pip
-* PostgreSQL 9.5
+* Python 3.7 or newer with pip
+* PostgreSQL 9.5 or newer
 
 For feeder:
 
-* Node.js 0.11.13
+* Node.js 0.11.13 or newer
 * libzmq3
 
-### Docker
+Also it is recommended to install `nginx` and `htpasswd` and cover apps above under it.
+Reasons:
 
-For development:
+  * to disable or limit submitting match reports from outside
 
-```
-docker build . -t em92/qllr-dev -f Dockerfile.develop.buster
-```
-
-For production:
-
-```
-docker build . -t em92/qllr -f Dockerfile.production
-```
+  * hide feeder under password protection
 
 ### Docs
 

docs/install.md

@@ -68,7 +68,7 @@ That's it. Now run in separate screen.
 ./main.py
 ```
 
-By default it is running on port 8000.
+By default it is running on port 8000 and uses 127.0.0.1 as host.
 
 
 ## Installing and configuring feeder
@@ -86,11 +86,38 @@ mkdir ql-match-jsons
 mkdir ql-match-jsons/errors
 ```
 
-Edit cfg.json. *xonstatSubmissionUrl* value must point to our qllr (example http://YOUR-HOST-HERE:8000/stats/submit).
+Edit cfg.json:
+
+- `feeder.xonstatSubmissionUrl` value must point to our qllr (example http://127.0.0.1:8000/stats/submit).
+- `webadmin.urlprefix` value to `/feeder`
 
 Now run in separate screen.
 ```
 node feeder.node.js
 ```
 
-It will run on 8081 port by default. Visit http://YOUR-HOST-HERE:8081 and add your quake live server(s) there.
+It will run on 8081 port by default. Visit http://127.0.0.1:8081/feeder and add your quake live server(s) there.
+
+
+## Installing and configuring nginx
+
+```
+sudo apt-get install nginx apache2-utils
+sudo cp nginx.example.conf /etc/nginx/sites-available/stats
+sudo ln -s /etc/nginx/sites-available/stats /etc/nginx/sites-enabled/stats
+# edit /etc/nginx/sites-available/stats
+# When copying from nginx.example.conf
+# 1. domain name
+# 2. path to static directory
+
+# generate password to access /feeder via nginx
+# user is admin
+# password should be inputed
+sudo htpasswd -c /etc/nginx/qllr.htpasswd admin
+
+# make sure everything is fine with nginx config
+sudo nginx -t
+
+# if yes, reload nginx
+sudo service nginx reload
+```

nginx.example.conf

@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name stats.eugenemolotov.ru;
+
+    access_log /var/log/nginx/stats_access.log;
+    error_log /var/log/nginx/stats_error.log;
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:8000;
+    }
+
+    # it is preferred, that nginx will serve static data
+    location /static {
+        root /home/eugene/quakelive-local-ratings;
+    }
+
+    location /stats/submit {
+        return 403;  # do not allow to submit results from outsite
+    }
+
+    location /feeder {
+        auth_basic "Staff only";
+        auth_basic_user_file /etc/nginx/qllr.htpasswd;
+        proxy_pass http://127.0.0.1:8081;
+    }
+}

qllr/blueprints/submission/__init__.py

@@ -12,14 +12,6 @@ async def http_stats_submit(request: Request):
     if request.headers.get("X-D0-Blind-Id-Detached-Signature") != "dummy":
         raise HTTPException(403, "signature header invalid or not found")
 
-    if request.client.host not in [
-        "::ffff:127.0.0.1",
-        "::1",
-        "127.0.0.1",
-        "testclient",
-    ]:
-        raise HTTPException(403, "non-loopback requests are not allowed")
-
     match_report = await request.body()
     result = await submit_match(match_report.decode("utf-8"))
     if RUN_POST_PROCESS is False: