/metrics end point still available to access after set disabled

travisghansen / external-auth-server

easy auth for reverse proxies

MIT License

330 stars 44 forks source link

/metrics end point still available to access after set disabled #175

Closed kashidsh1 closed 1 year ago

kashidsh1 commented 1 year ago

Hi there Because of security reasons, we have been asked to secure the /metrics endpoint. There is a Ping endpoint also open, but as it is not displaying much sensitive information, the vulnerability of this endpoint is at low risk, /metrics endpoint vulnerability is at its high risk.

To turn off the /metrics endpoint, we have tried setting monitoring to false as below

monitoring:
  enabled: false
  serviceMonitor:
       enabled: false

This didn't help so we set the exporter to false, which again not helped.

redis-ha:
  enabled: true
  auth: false
  redisPassword:
  exporter:
    enabled: false
  hardAntiAffinity: false

We don't know now, how we can turn off access to /metrics endpoint. can somebody help us with this it's compromising our security and we can't go for live installation without solving this issue.

Thank you so much for your help.

travisghansen commented 1 year ago

Welcome! Looking at the code it appears a code change is required to make it optional. I can work on that and get an update pushed.

kashidsh1 commented 1 year ago

Waw - really appreciate your response...many thanks

mstenz commented 1 year ago

Welcome! Looking at the code it appears a code change is required to make it optional. I can work on that and get an update pushed.

Thank you @travisghansen Our Security Department requested a date when this will be fixed in our installation. Do you have a glue when you probably will have some time to do this code change?

I have tried to search the code to find where this is sitting but was unsuccessful in even finding the code part that is relevant to this.

travisghansen commented 1 year ago

This needs to be wrapped in an env var: https://github.com/travisghansen/external-auth-server/blob/master/src/server.js#L47

I’ll look at it real quick and try to snap a release.

travisghansen commented 1 year ago

Fixed in https://github.com/travisghansen/external-auth-server/commit/6d954319ead7ca28b6167bec159897a62cddde60 and images are building. You can wait for v0.13.1 to finish building and deploy with EAS_DISABLE_METRICS=1 and the /metrics endpoint will no longer be available.

kashidsh1 commented 1 year ago

Thank you so much @travisghansen. I will upgrade the service and will response to you. Many Thanks

kashidsh1 commented 1 year ago

It sounds pipeline didn't proceed. I am also not able to see the variable in values.yaml for EAS_DISABLE_METRICS=1

travisghansen commented 1 year ago

Yeah, not sure why github keeps failing the build, it's got some kind of connectivity issue to npm it appears :( I keep trying but it keeps failing.

Regarding setting the environment variable just use this: https://github.com/travisghansen/external-auth-server/blob/master/charts/external-auth-server/values.yaml#L91-L95

kashidsh1 commented 1 year ago

Thank you so much @travisghansen , it worked for me. The /metrics endpoint now throwing the error: Cannot GET /metrics

This helped a lot to move one step ahead to comply with Security compliances. Thank you so much again for your quick turnaround.