Miniflux
Metrics endpoint changes should be marked more clearly as breaking changes for reverse proxies #1865
danpoltawski
started this conversation in
General
Metrics endpoint changes should be marked more clearly as breaking changes for reverse proxies
#1865
Replies: 1 comment
-
|
This change was necessary to fix CVE-2023-27591. There are more details in the v2.0.43 release notes. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
The changelog entry about #1745 did not alert me to the fact it would break access behind a trusted reverse proxy.
Additionally as the 'unauthorized' response is a
404it was not immediately obvious what had gone wrong.In order to quickly remedy the situation you need to do
METRICS_ALLOWED_NETWORKS=0.0.0.0/0(or the range of trusted reverse proxy) as the default value is127.0.0.1. (Then also implement the ACL on your reverse proxy)While I don't necessarily disagree with this change, it came as a surprise (and my reverse proxy won't allowed spoofed forwarded headers so previous behaviour was fine for me)
Beta Was this translation helpful? Give feedback.
All reactions