Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

contrib/nginx should lock down prometheus server and alertmanager #356

Closed
johnmccabe opened this issue Oct 29, 2017 · 7 comments
Closed

contrib/nginx should lock down prometheus server and alertmanager #356

johnmccabe opened this issue Oct 29, 2017 · 7 comments
Assignees
@johnmccabe @alexellis
Labels
enhancement priority/middle

Comments

@johnmccabe
Copy link
Contributor

johnmccabe commented Oct 29, 2017
edited

Expected Behaviour

Currently the nginx auth conf in contrib/nginx/gateway.conf only locks down the OpenFaaS gateway, it should also lock down the Prometheus Server and Alertmanager, both UIs and APIs.

Current Behaviour

Currently the both the Prometheus Server and Alertmanager are exposed.

A bad actor could delete series data from prometheus

curl -XDELETE -g 'http://localhost:9090/api/v1/series?match[]=gateway_service_count'

Or create a new silence to suppress alerts.

Possible Solution

Add new server entries for 9090 and 9093 to the gateway.conf.

Steps to Reproduce (for bugs)

  1. Run OpenFaaS
  2. Follow the current NGINX Basic Auth guide
  3. Confirm that 9090 and 9093 are exposed without auth.

Context

Observed when testing the cli updates.

Your Environment

  • Docker version docker version (e.g. Docker 17.0.05 ):
    17.09.0-ce
  • Are you using Docker Swarm or Kubernetes (FaaS-netes)?
    Swarm
  • Operating System and version (e.g. Linux, Windows, MacOS):
    Ubuntu
  • Link to your project or a code example to reproduce issue:
    n/a
@johnmccabe
Copy link
Contributor Author

johnmccabe commented Oct 29, 2017
edited

@alexellis I can raise a PR to address this if you haven't already.

@alexellis alexellis added this to In review in #TeamServerless Nov 6, 2017
@alexellis
Copy link
Member

I wonder if we could mitigate partially by taking the port off AlertManager by default.

@alexellis
Copy link
Member

Can you add a footnote to the Nginx guide for the Prometheus proxy support? Good thinking about this.

@alexellis alexellis moved this from In review to Define in #TeamServerless Nov 8, 2017
@johnmccabe
Copy link
Contributor Author

Derek assign: johnmccabe

This was referenced Nov 8, 2017
Merged
Closed
@alexellis
Copy link
Member

Derek assign: me

@derek derek bot assigned alexellis Dec 3, 2017
@alexellis
Copy link
Member

Derek add label: priority/middle

@derek derek bot added the priority/middle label Dec 3, 2017
@alexellis
Copy link
Member

Derek close

@derek derek bot closed this as completed Aug 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnmccabe johnmccabe

@alexellis alexellis

Labels
enhancement priority/middle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnmccabe @alexellis