marefr
commented
4 years ago Hard to decide how to categorize this, description is obviously a bug report, but at the same time the use case of blocked internet access is not a requirement we took into consideration when implementing this why I categorize this as a feature request.
Could we add configuration to filter out requests to external URLs? Is this even possible with Puppeteer?
Yes, you can intercept requests, see https://github.com/puppeteer/puppeteer/blob/main/docs/api.md#pagesetrequestinterceptionvalue. To accept proposed changes for this it should be an opt-in setting that doesn't apply if you don't have any request filtering enabled.
What happened:
We have grafana-image-renderer deployed as a remote renderer service with egress controls so that it cannot talk to anything on the internet. When we send a render request, grafana-image-renderer makes a request to Grafana. It then makes a series of HTTP requests to fetch metrics. One of these HTTP requests is to www.google-analytics.com (expected since we have Google Analytics enabled in Grafana), but times out due to the egress controls. This causes the whole render request to fail.
I'd expect this to also be an issue with slow dashboards (e.g. #169).
What you expected to happen:
Given the security implications of running a headless browser that can make arbitrary requests, we'd really like to avoid allowing public egress for grafana-image-renderer in our environment - especially if it's just for Google Analytics which we don't need to render a dashboard.
I'm open to ideas for the best way to work around this, and happy to work on the fix - I just wanted to get a consensus on the best approach first. Some thoughts:
Environment: