Exposed sensitive data in debug probe, recent probe logs, and config endpoint
Maros112358 opened this issue · 1 comments
Maros112358 commented
I have sensitive data in my TCP probe like this:
my_tcp_probe:
prober: tcp
timeout: 5s
tcp:
query_response:
- expect: "220"
- send: "USER my_username\r"
- expect: "331"
- send: "PASS sensitive_data_here"
- expect: "230"
- send: "QUIT\r"
- expect: "221"
I set --log.level=error
, but someone can still access my sensitive data by visiting /config
or /probe?debug=true...
.
I would like to hide my sensitive data from these endpoints. Some ideas:
- flag
config.hide
will turn off/config
- flag
probe.no-debug
will not allow query parameterdebug=true
to be used - flag
secure
will run blackbox-exporter in mode with only/probe
endpoint without optiondebug=true
EDIT: Setting history.limit=0
solves the problem with /logs
electron0zero commented
I set --log.level=error, but someone can still access my sensitive data by visiting /config or /probe?debug=true....
you can configure TLS and basic authentication to secure HTTP endpoints.
I am going to close this because we have a way to secure these endpoints, if you need additinal secuity we recommend using other methods to secure your blackbox_exporter installation :)