Prevent proxy data sources from hitting internal IP addresses

[woodsaj]

Issue by ctdk Thursday Jul 30, 2015 at 06:45 GMT Originally opened as https://github.com/raintank/grafana/issues/381

---

Per #249, (and especially @torkelo's comment at https://github.com/raintank/grafana/issues/249#issuecomment-114995014), people can set up proxy data source and hit internal IP addresses. This is a separate issue from the /debug/vars URL being exposed, so I'm making a new issue for this.

[woodsaj]

Comment by Dieterbe Thursday Jul 30, 2015 at 08:37 GMT

---

i wonder what is the best way to go about this. maybe a grafana config option for some blacklisted ip's/hostnames that aren't allowed? because obviously in some other grafana setups, it's very common to query localhost, if graphite/influx runs on the same machine.

or can this be elegantly solved by something like iptables or cgroups?

[woodsaj]

Comment by woodsaj Thursday Jul 30, 2015 at 10:22 GMT

---

My vote is to solve this with whitelist/blacklist configuration options.

Some users will want to allow everything but a host/network. Others will want to allow only specified network/host.

something like, if in whitelist then allow. if in blacklist then deny, otherwise allow

we could then set a blacklist to 127.0.0.0/8,10.0.0.0/8

[woodsaj]

Comment by torkelo Monday Aug 31, 2015 at 12:23 GMT

---

opened issue in grafana for this, https://github.com/grafana/grafana/issues/2626

[woodsaj]

Comment by woodsaj Tuesday Sep 15, 2015 at 13:56 GMT

---

as noted in https://github.com/raintank/ops/issues/126 we also need to apply the access control in the endpoint discovery service

[woodsaj]

Comment by Dieterbe Wednesday Sep 16, 2015 at 04:41 GMT

---

and form validation