New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib/nginx should lock down prometheus server and alertmanager #356
Labels
Comments
@alexellis I can raise a PR to address this if you haven't already. |
I wonder if we could mitigate partially by taking the port off AlertManager by default. |
Can you add a footnote to the Nginx guide for the Prometheus proxy support? Good thinking about this. |
Derek assign: johnmccabe |
This was referenced Nov 8, 2017
Derek assign: me |
Derek add label: priority/middle |
Derek close |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behaviour
Currently the nginx auth conf in
contrib/nginx/gateway.conf
only locks down the OpenFaaS gateway, it should also lock down the Prometheus Server and Alertmanager, both UIs and APIs.Current Behaviour
Currently the both the Prometheus Server and Alertmanager are exposed.
A bad actor could delete series data from prometheus
Or create a new silence to suppress alerts.
Possible Solution
Add new server entries for
9090
and9093
to thegateway.conf
.Steps to Reproduce (for bugs)
9090
and9093
are exposed without auth.Context
Observed when testing the cli updates.
Your Environment
docker version
(e.g. Docker 17.0.05 ):17.09.0-ce
Swarm
Ubuntu
n/a
The text was updated successfully, but these errors were encountered: