Skip to content

Commit

Permalink
Prevent PROXY protocol clients from accessing metrics endpoint. (#2307)
Browse files Browse the repository at this point in the history
* Prevent PROXY protocol clients from accessing metrics endpoint.

* Update changelog for nginz configuration change.
  • Loading branch information
sysvinit authored Apr 26, 2022
1 parent 031d7a6 commit e6a4d84
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
3 changes: 3 additions & 0 deletions changelog.d/3-bug-fixes/nginz-access-control
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Modify the nginz access control configuration to prevent clients connecting
to listeners with PROXY protocol enabled (such as the websocket listener) from
accessing a private metrics endpoint.
12 changes: 12 additions & 0 deletions charts/nginz/templates/conf/_nginx.conf.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,18 @@ http {
allow 127.0.0.1;
deny all;
# Requests with an X-Forwarded-For header will have the real client
# source IP address set correctly, due to the real_ip_header directive
# in the top-level configuration. However, this will not set the client
# IP correctly for clients which are connected via a load balancer which
# uses the PROXY protocol.
#
# Hence, for safety, we deny access to the vts metrics endpoints to
# clients which are connected via PROXY protocol.
if ($proxy_protocol_address != "") {
return 403;
}

vhost_traffic_status_display;
vhost_traffic_status_display_format html;
}
Expand Down

0 comments on commit e6a4d84

Please sign in to comment.