1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00

[docs]: Update Prometheus docs with security info (#2246)

## About the changes

Prometheus metrics should not be exposed to the public. Added a note about this to inform people that internal endpoints should be dropped on external access.

## Discussion points

https://unleash-community.slack.com/archives/CGP2MCHPF/p1666688295670459

## Commits

* [docs]: Update Prometheus docs with security info

* Apply suggestions from code review

Co-authored-by: Thomas Heartman <thomas@getunleash.ai>

* Add info about Prometheus security

Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
This commit is contained in:
Pål-Magnus Slåtto 2022-10-28 11:58:26 +02:00 committed by GitHub
parent 0553976240
commit 3edca3efe8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -7,7 +7,9 @@ title: /internal-backstage/prometheus
`GET http://unleash.host.com/internal-backstage/prometheus`
Unleash uses prometheus internally to collect metrics. These are available on the given url if the `serverMetrics` option is enabled (default=true).
Unleash uses Prometheus internally to collect metrics. By default, the metrics are available at `/internal-backstage/prometheus`. You can disable this endpoint by setting the `serverMetrics` option to `false`.
Note that it's not recommended to expose Prometheus metrics to the public as of the [Prometheus pentest-report](https://prometheus.io/assets/downloads/2018-06-11--cure53_security_audit.pdf) issue PRM-01-002. Thus, if you want to keep metrics enabled, you should block all external access to `/internal-backstage/*` on the network layer to keep your instance secure.
[Read more about Prometheus](https://prometheus.io/)