Prevent proxy data sources from hitting internal IP addresses

[woodsaj]

Issue by ctdk
Thursday Jul 30, 2015 at 06:45 GMT
Originally opened as raintank/grafana#381

---

Per #249, (and especially @torkelo's comment at raintank/grafana#249 (comment)), people can set up proxy data source and hit internal IP addresses. This is a separate issue from the /debug/vars URL being exposed, so I'm making a new issue for this.

[woodsaj]

Comment by Dieterbe
Thursday Jul 30, 2015 at 08:37 GMT

---

i wonder what is the best way to go about this. maybe a grafana config option for some blacklisted ip's/hostnames that aren't allowed? because obviously in some other grafana setups, it's very common to query localhost, if graphite/influx runs on the same machine.

or can this be elegantly solved by something like iptables or cgroups?

[woodsaj]

Comment by woodsaj
Thursday Jul 30, 2015 at 10:22 GMT

---

My vote is to solve this with whitelist/blacklist configuration options.

Some users will want to allow everything but a host/network. Others will want to allow only specified network/host.

something like, if in whitelist then allow. if in blacklist then deny, otherwise allow

we could then set a blacklist to 127.0.0.0/8,10.0.0.0/8

[woodsaj]

Comment by torkelo
Monday Aug 31, 2015 at 12:23 GMT

---

opened issue in grafana for this, grafana/grafana#2626

[woodsaj]

Comment by woodsaj
Tuesday Sep 15, 2015 at 13:56 GMT

---

as noted in https://github.com/raintank/ops/issues/126 we also need to apply the access control in the endpoint discovery service

[woodsaj]

Comment by Dieterbe
Wednesday Sep 16, 2015 at 04:41 GMT

---

and form validation