Disabling metric endpoint for public access does not work

[JaniszM]

Description

As described in README I was expecting to disable the metric endpoint to public access. This is not possible by setting the env DISABLE_EXTERNAL_ACCESS to True since it also requires setting a header X-Forwarded-Host in the request. As a result, the endpoint is still public because I cannot control the request.

The code for MetricsEndpoint.java

    public Response get(@Context HttpHeaders headers) {
        if (DISABLE_EXTERNAL_ACCESS) {
            if (!headers.getRequestHeader("x-forwarded-host").isEmpty()) {
                // Request is being forwarded by HA Proxy on Openshift
                return Response.status(Status.FORBIDDEN).build(); //(stream).build();
            }
        }

        final StreamingOutput stream = output -> PrometheusExporter.instance().export(output);
        return Response.ok(stream).build();
    }

Expected Behavior

Setting var DISABLE_EXTERNAL_ACCESS to True should totally disable the metrics endpoint. However, at the same time if X-Forwarded-Host is set and is valid it should be accessible to the cluster only.

Actual Behavior

The endpoint is still public.

Steps to reproduce

See Description.

May be related to #119

Cheers!

[kop-hmf]

Hi @JaniszM ,
we faced the same issue, as you mentioned above.

Do you find a way to handle the problem to avoid public access to all metrics if not load balancer, etc is used?
BR Kim

[JaniszM]

Hi @kop-hmf .

Not really, just a workaround. My Keycloak was deployed to the K8 cluster (EKS), so I used ingress controllers to handle access on the higher level.

[anacelto]

We are also facing this issue. It would be nice to have a way to disable this endpoint.