From 3edca3efe8292ef9446f5bad72f9deca6c2cf4f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A5l-Magnus=20Sl=C3=A5tto?= Date: Fri, 28 Oct 2022 11:58:26 +0200 Subject: [PATCH] [docs]: Update Prometheus docs with security info (#2246) ## About the changes Prometheus metrics should not be exposed to the public. Added a note about this to inform people that internal endpoints should be dropped on external access. ## Discussion points https://unleash-community.slack.com/archives/CGP2MCHPF/p1666688295670459 ## Commits * [docs]: Update Prometheus docs with security info * Apply suggestions from code review Co-authored-by: Thomas Heartman * Add info about Prometheus security Co-authored-by: Thomas Heartman --- website/docs/api/internal/internal-backstage-api.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/docs/api/internal/internal-backstage-api.md b/website/docs/api/internal/internal-backstage-api.md index 4e1fb9de92..8928be4e6b 100644 --- a/website/docs/api/internal/internal-backstage-api.md +++ b/website/docs/api/internal/internal-backstage-api.md @@ -7,7 +7,9 @@ title: /internal-backstage/prometheus `GET http://unleash.host.com/internal-backstage/prometheus` -Unleash uses prometheus internally to collect metrics. These are available on the given url if the `serverMetrics` option is enabled (default=true). +Unleash uses Prometheus internally to collect metrics. By default, the metrics are available at `/internal-backstage/prometheus`. You can disable this endpoint by setting the `serverMetrics` option to `false`. + +Note that it's not recommended to expose Prometheus metrics to the public as of the [Prometheus pentest-report](https://prometheus.io/assets/downloads/2018-06-11--cure53_security_audit.pdf) issue PRM-01-002. Thus, if you want to keep metrics enabled, you should block all external access to `/internal-backstage/*` on the network layer to keep your instance secure. [Read more about Prometheus](https://prometheus.io/)