build: whitelist all access from internal service calls

compose.yaml

@@ -41,6 +41,8 @@ x-proxy-env: &proxy-env # General
   USE_BUNKERNET: no
   DISABLE_DEFAULT_SERVER: yes
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
+  # Avoid running ModSec rules on internal service calls
+  WHITELIST_IP: 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
   REVERSE_PROXY_INTERCEPT_ERRORS: no
@@ -87,8 +89,6 @@ x-proxy-env: &proxy-env # General
   odkcentral_AUTO_REDIRECT_HTTP_TO_HTTPS: no
   odkcentral_CUSTOM_SSL_CERT_DATA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2IyUnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3dGVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKeWlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYUnRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQN0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakVBMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTjNtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   odkcentral_CUSTOM_SSL_KEY_DATA: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRCc21pQjBmUU5hR1VobEdpWnMKNks1YVo1K1hUOVM1cFdlWkhZc05SVXRlK2FRZ1hIK0pTSmpwRnFqRnNLN21abldoWkFOaUFBU2tYNHpRRUxHQQplTXdscXhneThDZUJCdytFdVo1UDFjSVp1RFg5TzV1N0Ewby8wRHZWL2dZT3Rzb2k1bnJEbFN3eXhoU0lucjc0CmEvbnl6SEJkRCtOT3dGZnZneG1mWnI4MVhLZFZtTmtQZW1JakZKODB1OVpiUlBQcVZwVDM0N1E9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
-  # Avoid running ModSec rules on calls to ODK Central from API
-  odkcentral_WHITELIST_IP: 10.20.30.0/24
 
 services:
   proxy:

deploy/compose.development.yaml

@@ -54,6 +54,8 @@ x-proxy-env: &proxy-env # General
   USE_BUNKERNET: no
   DISABLE_DEFAULT_SERVER: yes
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
+  # Avoid running ModSec rules on internal service calls
+  WHITELIST_IP: 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
   REVERSE_PROXY_INTERCEPT_ERRORS: no
@@ -98,8 +100,6 @@ x-proxy-env: &proxy-env # General
   # buffer requests, but not responses, so streaming out works
   odk.dev.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
   odk.dev.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
-  # Avoid running ModSec rules on calls to ODK Central from API
-  odk.dev.fmtm.hotosm.org_WHITELIST_IP: 10.20.30.0/24
 
 services:
   proxy:

deploy/compose.main.yaml

@@ -50,6 +50,8 @@ x-proxy-env: &proxy-env # General
   USE_BUNKERNET: no
   DISABLE_DEFAULT_SERVER: yes
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
+  # Avoid running ModSec rules on internal service calls
+  WHITELIST_IP: 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
   REVERSE_PROXY_INTERCEPT_ERRORS: no

deploy/compose.staging.yaml

@@ -54,6 +54,8 @@ x-proxy-env: &proxy-env # General
   USE_BUNKERNET: no
   DISABLE_DEFAULT_SERVER: yes
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
+  # Avoid running ModSec rules on internal service calls
+  WHITELIST_IP: 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
   REVERSE_PROXY_INTERCEPT_ERRORS: no
@@ -97,8 +99,6 @@ x-proxy-env: &proxy-env # General
   # buffer requests, but not responses, so streaming out works
   odk.stage.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
   odk.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
-  # Avoid running ModSec rules on calls to ODK Central from API
-  odk.stage.fmtm.hotosm.org_WHITELIST_IP: 10.20.30.0/24
 
 services:
   proxy: