Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/debug/pprof/ this api un auth #2286

Closed
liangliang4ward opened this issue Jan 18, 2022 · 14 comments · Fixed by #2339
Closed

/debug/pprof/ this api un auth #2286

liangliang4ward opened this issue Jan 18, 2022 · 14 comments · Fixed by #2339
Assignees
@zaunist
Labels
bug Something isn't working

Comments

@liangliang4ward
Copy link

Issue description

/debug/pprof/ 未登录的情况下可以直接访问

Expected behavior

/debug/pprof/ 未登录不能访问

How to Reproduce

curl localhost:9000/debug/pprof/

Screenshots

No response

Environment

  • apisix version (cmd: apisix version):
  • OS (cmd: uname -a):
  • OpenResty / Nginx version (cmd: nginx -V or openresty -V):
  • etcd version, if have (cmd: run etcd --version):
  • apisix-dashboard version, if have: 2.10
  • Browser version, if have:

Additional context

No response
@liangliang4ward liangliang4ward added the bug Something isn't working label Jan 18, 2022
@zaunist
Copy link
Contributor

zaunist commented Jan 18, 2022

@qq54903099 Thansk for your comment, we will check it.

@jwrookie
Copy link
Contributor

jwrookie commented Jan 19, 2022
edited

ref :

apisix-dashboard/api/internal/filter/authentication.go

Lines 30 to 37 in 131601d

func Authentication() gin.HandlerFunc {
return func(c *gin.Context) {
if c.Request.URL.Path == "/apisix/admin/user/login" ||
c.Request.URL.Path == "/apisix/admin/tool/version" ||
!strings.HasPrefix(c.Request.URL.Path, "/apisix") {
c.Next()
return
}

path : /debug/pprof omited the auth check, by design?

I'd be happy to fix it if you want

@zaunist
Copy link
Contributor

zaunist commented Jan 19, 2022
edited

@jwrookie You are right! Welcome to pr.

@jwrookie
Copy link
Contributor

can i base on cookie to fast fix it?

@zaunist
Copy link
Contributor

zaunist commented Jan 19, 2022
edited

I'm not sure how do you want to do, can you give some example ?

@jwrookie
Copy link
Contributor

currently, user authentication is done through http headers, can not auto add the headers on a newtab for /debug/pprof

@zaunist
Copy link
Contributor

zaunist commented Jan 20, 2022

Got it.

@zaunist
Copy link
Contributor

zaunist commented Jan 20, 2022

@jwrookie . You can submit a PR to accomplish your idea, and other community member will review your code.

@jwrookie
Copy link
Contributor

droplet nonsupport set cookie 😥

@bzp2010
Copy link
Contributor

bzp2010 commented Jan 25, 2022

Maybe we can add a configuration item that is turned off by default, I don't think the pforf API is very meaningful for dashboard. I.e., turn off this API by default and turn it on by modifying the configuration when you need to use it.

@jwrookie
Copy link
Contributor

but at turn it on, the problem will reproduce

@zaunist
Copy link
Contributor

zaunist commented Feb 24, 2022

Hi, community. IMO, since this interface is very rarely used, I suggest removing pprof and adding one manually for debugging if needed in development.

@zaunist
Copy link
Contributor

zaunist commented Feb 24, 2022

And I'm glad to contribute this issue.

@jwrookie
Copy link
Contributor

If it is not connected to prometheus or other similar tools, I recommend using it for continuous monitoring and analysis

@zaunist zaunist mentioned this issue Feb 24, 2022
Merged
8 tasks
@zaunist zaunist mentioned this issue Mar 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zaunist zaunist

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: disable debug/pprof interface
4 participants
@liangliang4ward @bzp2010 @zaunist @jwrookie