Health/Metrics/Debug endpoints publicly available without auth

[desa]

Currently all

influxdb/http/handler.go

Lines 20 to 29 in 401ec79

	const (
	// MetricsPath exposes the prometheus metrics over /metrics.
	MetricsPath = "/metrics"
	// ReadyPath exposes the readiness of the service over /ready.
	ReadyPath = "/ready"
	// HealthPath exposes the health of the service over /health.
	HealthPath = "/health"
	// DebugPath exposes /debug/pprof for go debugging.
	DebugPath = "/debug"
	)

are exposed publicly and do not require auth. This is likely to expose some amount of private data.

We should either

1. Add an option to ensure that those endpoints are unexposed
2. Require authentication to access those endpoints

[lafrech]

I just stumbled upon this. I wanted to report it and found this issue already open.

I can confirm, except for debug, which returns a 404 error.

[DSpeichert]

I was just looking through the issues before reporting this as well.
It makes it even "hard" to test out the beta, considering how InfluxDB kinda has to be exposed for Telegraf to reach it, at the same time InfluxDB should be able to scrape itself.

How about adding some sort of ACL for /metrics?
The /ready and /health routes are useful for k8s, obviously, and do not seem to be leaking sensitive information.
Having /metrics locked down to access from 127.0.0.1 would be a good sane default setting.

[russorat]

connect #20764

[danxmoran]

Closing this since we've split the work into multiple issues:

• i would like to have the ability to disable the pprof endpoint #20764 for pprof
• Add support for disabling /metrics endpoint #20755 for metrics