Skip to content

Comments

Prevent PROXY protocol clients from accessing metrics endpoint.#2307

Merged
sysvinit merged 2 commits intodevelopfrom
sysvinit/nginz-vts-access-control
Apr 26, 2022
Merged

Prevent PROXY protocol clients from accessing metrics endpoint.#2307
sysvinit merged 2 commits intodevelopfrom
sysvinit/nginz-vts-access-control

Conversation

@sysvinit
Copy link
Contributor

@sysvinit sysvinit commented Apr 22, 2022
edited
Loading

Due to an access control quirk, clients connecting to nginz over a listener which has proxy protocol enabled may be able to bypass the IP address access control list and access the /vts metrics endpoint, which is otherwised considered internal. This change prevents clients connected via proxy protocol from accessing the metrics endpoint.

Checklist

  • The PR Title explains the impact of the change.
  • The PR description provides context as to why the change should occur and what the code contributes to that effect. This could also be a link to a JIRA ticket or a Github issue, if there is one.
  • If this PR changes development workflow or dependencies, they have been A) automated and B) documented under docs/developer/. All efforts have been taken to minimize development setup breakage or slowdown for co-workers.
  • If HTTP endpoint paths have been added or renamed, the endpoint / config-flag checklist (see Wire-employee only backend wiki page) has been followed.
  • If a cassandra schema migration has been added, I ran make git-add-cassandra-schema to update the cassandra schema documentation.
  • changelog.d contains the following bits of information (details):
    • A file with the changelog entry in one or more suitable sub-sections. The sub-sections are marked by directories inside changelog.d.
    • If new config options introduced: added usage description under docs/reference/config-options.md
    • If new config options introduced: recommended measures to be taken by on-premise instance operators.
    • If a cassandra schema migration is backwards incompatible (see also these docs), measures to be taken by on-premise instance operators are explained.
    • If a data migration (not schema migration) introduced: measures to be taken by on-premise instance operators.
    • If public end-points have been changed or added: does nginz need un upgrade?
    • If internal end-points have been added or changed: which services have to be deployed in a specific order?

@sysvinit sysvinit temporarily deployed to cachix April 22, 2022 08:17 Inactive
@sysvinit sysvinit temporarily deployed to cachix April 22, 2022 08:22 Inactive
@sysvinit sysvinit merged commit e6a4d84 into develop Apr 26, 2022
@sysvinit sysvinit deleted the sysvinit/nginz-vts-access-control branch April 26, 2022 07:33
@jschaul
Copy link
Member

jschaul commented Apr 26, 2022

This fails, that variable does not exist:

│ 2022/04/26 16:00:22 [emerg] 8#0: unknown "proxy_protocol_address" variable                                                                                                                 │
│ nginx: [emerg] unknown "proxy_protocol_address" variable

CI was also red here, PR should not get merged unless overall-ci is green.

jschaul added a commit that referenced this pull request Apr 26, 2022
@jschaul
Revert "Prevent PROXY protocol clients from accessing metrics endpoin…
70ce220 
…t. (#2307)"

This reverts commit e6a4d84.
@sysvinit sysvinit mentioned this pull request May 3, 2022
Merged
13 tasks
@zebot zebot mentioned this pull request May 4, 2022
Merged
@zebot zebot mentioned this pull request May 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jschaul jschaul jschaul approved these changes

@akshaymankar akshaymankar Awaiting requested review from akshaymankar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sysvinit @jschaul