Filter '/-/' path from externally visible nginx endpoints
Currently we protect metrics and healthcheck endpoints via special token that is required to access them. This token is burdensome to change and manage. It is not entirely safe since that token can easily be leaked via tools not meant to hold secrets.
This MR introduces blocking of healthcheck and metric endpoints prefixed with '/-/
' from other host than localhost
with additional caveat that no X-Forwarded-For
header must be present.
/cc: @pcarranza @bjk-gitlab @marin
Related to: gitlab-ce#29118
Edited by username-removed-676946