You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/10/06 17:33:49 UTC
[GitHub] [apisix] poidl opened a new issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
poidl opened a new issue #2362:
URL: https://github.com/apache/apisix/issues/2362
I'm a beginner and want to return a 404 for a request to http://mydomain.example/apisix/prometheus/metrics.
Additional to the issues (linked below) about exposing metrics publicly, which I find problematic too, they are even exposed if the Prometheus plugin is not enabled (I mean "enabled" by following https://github.com/apache/apisix/blob/master/doc/plugins/prometheus.md ).
To get a 404, I have to open `config.yaml` and uncomment `- prometheus` the plugin, even if I didn't enable anything.
Instead I think it should be the default. In case there are reasons for this, could you provide a list of plugins that publicly expose paths?
When I query `/apisix/admin/routes`, I don't see `/apisix/prometheus/metrics`, even though the route exists. How can I find these routes? I'm concerned there are more exposed routes I'm not aware of.
Related:
https://github.com/apache/apisix/issues/1509
https://github.com/apache/apisix/issues/2296
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
Posted by GitBox <gi...@apache.org>.
moonming commented on issue #2362:
URL: https://github.com/apache/apisix/issues/2362#issuecomment-718666552
ping @membphis
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] poidl commented on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
Posted by GitBox <gi...@apache.org>.
poidl commented on issue #2362:
URL: https://github.com/apache/apisix/issues/2362#issuecomment-717157968
I see, thanks!
I lack the technical background to participate in a full discussion. The important thing for me is that APISIX exposes a route only if I explicitly tell it to do so.
What about serving the metrics at 9101 (or some other port), and if you want to expose it on 80/443, just define the 9101 as upstream and define a route `/apisix/prometheus/metrics` as usual? Would this defeat the purpose of a metrics tool, in the sense that it should even be accessible if apisix is cannot or does not serve routes as usual for some reason. For example, would there be a requirement for metrics logging *before* any route has been defined?
In that case the only solution I could think of is deploying a separate reverse proxy that exposes 9101 on 80/443, independent of apisix.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Miss-you commented on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
Posted by GitBox <gi...@apache.org>.
Miss-you commented on issue #2362:
URL: https://github.com/apache/apisix/issues/2362#issuecomment-712728248
Hi, thanks for the advice.
The Prometheus metrics usually use another port to expose the service instead of a business port, such as controller, scheduler, ingress, etc., which is a new non-business port to expose the service.
Currently, Apache APISIX uses the 80/443 port to expose the metrics service, which is unreasonable and may have information leakage risk, but I suggest to merge it into the Apache APISIX project as a feature after full discussion of the technical solution.
Translated with www.DeepL.com/Translator (free version)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #2362:
URL: https://github.com/apache/apisix/issues/2362#issuecomment-704674396
@poidl Thank you very much for your reminder, I think we need to solve this issue in version `2.0` .
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Miss-you edited a comment on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
Posted by GitBox <gi...@apache.org>.
Miss-you edited a comment on issue #2362:
URL: https://github.com/apache/apisix/issues/2362#issuecomment-712728248
Hi, thanks for the advice.
The Prometheus metrics usually use another port to expose the service instead of a business port, such as controller, scheduler, ingress, etc., which is a new non-business port to expose the service.
Currently, Apache APISIX uses the 80/443 port to expose the metrics service, which is unreasonable and may have information leakage risk, but I suggest to merge it into the Apache APISIX project as a feature after full discussion of the technical solution.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org