Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Concern #283

Open
zidokobik opened this issue Feb 10, 2024 · 4 comments
Open

Security Concern #283

zidokobik opened this issue Feb 10, 2024 · 4 comments

Comments

@zidokobik
Copy link

Wouldn't exposing the metrics endpoint with the main app a bad security practice. Maybe add HTTP Basic authentication ?

@0xecute
Copy link

0xecute commented Feb 24, 2024

Totally agree. HTTP basic auth or IP whitelisting

@trallnag
Copy link
Owner

Hi, I would not consider is a bad security practice. It really depends on the architecture of your application. For example you could have an ingress like Traefik or Nginx in front of the API that handles everything related to authentication and authorization.

It is just not this packages responsibility to authenticate requests. This is the regular approach, I'd argue. For example the official prometheus client library for Python does not mention authentication in their documentation here. And prometheus flask exporter relies on external authentication via decorator, see here.

So I am not sure if I want to add this. It opens a whole can of worms

Alternatives that work without adding this feature:

  • Adding a middleware to the app that enforces HTTP basic auth.
  • Not using expose() and instead writing the endpoint yourself.
  • Getting the app with the metrics endpoint from the prometheus client lib and adding middleware for authentication there.

On the other side prometheus-fastapi-instrumentator already has many (too many) knobs, handles, feature flags... So one more parameter makes it just a little worse.

@aovasylenko
Copy link

@trallnag did you consider example/tools to run metrics on a separate port?

@csko
Copy link

csko commented Dec 7, 2024

Something like this should work:

from prometheus_fastapi_instrumentator import Instrumentator
from fastapi import Depends, HTTPException, Request

async def restrict_localhost(request: Request):
    if request.client.host != "127.0.0.1":
        raise HTTPException(status_code=403)

Instrumentator().instrument(app).expose(app, dependencies=[Depends(restrict_localhost)])

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants