You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As described in README I was expecting to disable the metric endpoint to public access. This is not possible by setting the env DISABLE_EXTERNAL_ACCESS to True since it also requires setting a header X-Forwarded-Host in the request. As a result, the endpoint is still public because I cannot control the request.
The code for MetricsEndpoint.java
public Response get(@Context HttpHeaders headers) {
if (DISABLE_EXTERNAL_ACCESS) {
if (!headers.getRequestHeader("x-forwarded-host").isEmpty()) {
// Request is being forwarded by HA Proxy on Openshift
return Response.status(Status.FORBIDDEN).build(); //(stream).build();
}
}
final StreamingOutput stream = output -> PrometheusExporter.instance().export(output);
return Response.ok(stream).build();
}
Expected Behavior
Setting var DISABLE_EXTERNAL_ACCESS to True should totally disable the metrics endpoint. However, at the same time if X-Forwarded-Host is set and is valid it should be accessible to the cluster only.
Description
As described in README I was expecting to disable the metric endpoint to public access. This is not possible by setting the env
DISABLE_EXTERNAL_ACCESS
to True since it also requires setting a headerX-Forwarded-Host
in the request. As a result, the endpoint is still public because I cannot control the request.The code for MetricsEndpoint.java
Expected Behavior
Setting var
DISABLE_EXTERNAL_ACCESS
to True should totally disable the metrics endpoint. However, at the same time ifX-Forwarded-Host
is set and is valid it should be accessible to the cluster only.Actual Behavior
The endpoint is still public.
Steps to reproduce
See Description.
May be related to #119
Cheers!
The text was updated successfully, but these errors were encountered: