Open Aleson95 opened 2 years ago
Are there any news about this topic?
This is not a direct answer to your query.
However, you can always disable access to the metrics' location.
For example on nginx you could do inside the server
block:
# Do not expose Keycloak metrics.
location ~* /auth/realms/.+/metrics {
return 404;
}
The Nginx config is a last-resort fix and good for 'belts and braces' for public deployments.
That said, exposing the metrics on the management port would be preferred, this is by default port tcp/9000.
Is it possible to expose the metrics endpoint to different port ? like Spring Boot Actuator we can set properties to change the management port and disable the security? I see the code in MetricsEndpoint class we can set the environment variable of DISABLE_EXTERNAL_ACCESS to disable access coming from the openshift HA Proxy, I'm still checking and confirming if this way may work in my current architecture and infrastructure, just hoping to see if we can generalize ways to secure the metrics endpoint.