Skip to content

custom-error-pages: Add an ability to disable "/metrics", "/healthz" and "/debug/vars" endpoints #9152

New issue
New issue
Open
#10984
Open
custom-error-pages: Add an ability to disable "/metrics", "/healthz" and "/debug/vars" endpoints#9152
#10984
Assignees
ricardoapl
Labels
kind/featureCategorizes issue or PR as related to a new feature.priority/backlogHigher priority than priority/awaiting-more-evidence.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@ucinskij

Description

@ucinskij
ucinskij
opened on Oct 13, 2022

The custom-error-pages backend does it job pretty well, however during a security scan it was detected that it exposes three endpoints:
/metrics
/healthz
/debug/vars

/metrics and /healthz are implemented by

ingress-nginx/images/custom-error-pages/rootfs/main.go

Line 78 in 499dbf5

func main() {

/debug/vars at a first sight seems to be coming with github.com/prometheus/client_golang which includes expvar: https://pkg.go.dev/expvar

Especially the first and last ones expose information that might be considered as 'sensitive' by some organizations. Hence why I would like to ask for a feature toggle that would allow to disable those endpoints. It is to be considered if those should be exposed by default or not.

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.priority/backlogHigher priority than priority/awaiting-more-evidence.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

[SIG Network] Ingress NGINX

  • Status

    Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions