Disabling metric endpoint for public access does not work

JaniszM commented 1 year ago

Description

As described in README I was expecting to disable the metric endpoint to public access. This is not possible by setting the env DISABLE_EXTERNAL_ACCESS to True since it also requires setting a header X-Forwarded-Host in the request. As a result, the endpoint is still public because I cannot control the request.

The code for MetricsEndpoint.java

    public Response get(@Context HttpHeaders headers) {
        if (DISABLE_EXTERNAL_ACCESS) {
            if (!headers.getRequestHeader("x-forwarded-host").isEmpty()) {
                // Request is being forwarded by HA Proxy on Openshift
                return Response.status(Status.FORBIDDEN).build(); //(stream).build();
            }
        }

        final StreamingOutput stream = output -> PrometheusExporter.instance().export(output);
        return Response.ok(stream).build();
    }

Expected Behavior

Setting var DISABLE_EXTERNAL_ACCESS to True should totally disable the metrics endpoint. However, at the same time if X-Forwarded-Host is set and is valid it should be accessible to the cluster only.

Actual Behavior

The endpoint is still public.

Steps to reproduce

See Description.

Cheers!

kop-hmf commented 1 year ago

Hi @JaniszM , we faced the same issue, as you mentioned above.

Do you find a way to handle the problem to avoid public access to all metrics if not load balancer, etc is used? BR Kim

JaniszM commented 1 year ago

Hi @kop-hmf .

Not really, just a workaround. My Keycloak was deployed to the K8 cluster (EKS), so I used ingress controllers to handle access on the higher level.

anacelto commented 3 weeks ago

We are also facing this issue. It would be nice to have a way to disable this endpoint.

aerogear / keycloak-metrics-spi