/metrics is accessible open wide #343

reynico · 2022-02-21T13:31:53Z

Hi!

The /metrics endpoint is accessible open wide to the Internet with the default configuration:

server_url: https://tailscale.dev:8080

# Address to listen to / bind to on the server
#
listen_addr: 0.0.0.0:8080

Note that listen_addr should be listening on 0.0.0.0 so the clients can authenticate to the server, but I think /metrics should be available only for the local network, either by listening on a different port or by a blocking rule.

Bonus points to make /metrics a toggleable endpoint!

The text was updated successfully, but these errors were encountered:

kradalby · 2022-02-21T14:40:49Z

Hi, we would happily take a PR with a flag to make it localhost / a specific network only.

Turning off metrics would be an anti-pattern, so we will refrain for adding that.

Otherwise, this ticket will be put on the backlog.

For people arriving at this issue, one alternative is to lock it down with Nginx or another reverse proxy.

reynico · 2022-02-21T15:53:58Z

Hi @kradalby, PR is ready for review.

reynico added the bug Something isn't working label Feb 21, 2022

reynico mentioned this issue Feb 21, 2022

Make /metrics listen on a different address #344

Merged

6 tasks

kradalby closed this as completed Mar 2, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

/metrics is accessible open wide #343

/metrics is accessible open wide #343

reynico commented Feb 21, 2022

kradalby commented Feb 21, 2022

reynico commented Feb 21, 2022

/metrics is accessible open wide #343

/metrics is accessible open wide #343

Comments

reynico commented Feb 21, 2022

kradalby commented Feb 21, 2022

reynico commented Feb 21, 2022