Filter '/-/' path from externally visible nginx endpoints
Currently we protect metrics and healthcheck endpoints via special token that is required to access them. This token is burdensome to change and manage. It is not entirely safe since that token can easily be leaked via tools not meant to hold secrets.
This MR introduces blocking of healthcheck and metric endpoints prefixed with '/-/' from other host than localhost with additional caveat that no X-Forwarded-For header must be present.
/cc: @pcarranza @bjk-gitlab @marin
Related to: gitlab-ce#29118
Merge request reports
Activity
added 1 commit
- b5e48a6b - Filter '/-/' path from externally visible nginx endpoints
@bjk-gitlab Agreed.
Outside of the scope of this MR, but I had some success integration testing nginx using https://metacpan.org/pod/Test::Nginx::Socket in the past.
Its uses Perl but there is very little Perl involved in the process of writing tests.
-
@twk3 I'm not sure myself, my plan was to block it on outermost location and also add this blocking snippet to all configurations examples we have in https://gitlab.com/gitlab-org/gitlab-recipes and gitlab-ce repos.
Making it the responsibility of eventual administrator who uses custom config to also block this endpoint as he sees fit, similar to how we moved HSTS setting out of application into Omnibus nginx.
I think this way it could be more flexible for most users.
Right now these endpoints are protected using Rails code that requires each request supply a secret. This is not optimal for a few reasons. However this gives good protection OOTB.
-
Closed in Favor of: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12612
