Merge pull request #1033 from redpanda-data/nf/pprof-loopback

pprof: bind it to the loopback interface by default
redpanda-data · Jan 25, 2024 · 1cf3736 · 1cf3736
2 parents 64fca3b + 41d1a35
commit 1cf3736
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 3 deletions.
diff --git a/backend/pkg/api/middlewares.go b/backend/pkg/api/middlewares.go
@@ -11,12 +11,15 @@ package api
 
 import (
 	"context"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/cloudhut/common/rest"
 	"github.com/go-chi/chi/v5"
+	"go.uber.org/zap"
 )
 
 // BasePathCtxKey is a helper to avoid allocations, idea taken from chi
@@ -134,3 +137,24 @@ func createSetVersionInfoHeader(builtAt string) func(next http.Handler) http.Han
 		return http.HandlerFunc(fn)
 	}
 }
+
+// forceLoopbackMiddleware blocks requests not coming from the loopback interface.
+func forceLoopbackMiddleware(logger *zap.Logger) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			addr, ok := r.Context().Value(http.LocalAddrContextKey).(*net.TCPAddr)
+			if !ok {
+				logger.Info("request does not contain interface binding information")
+				rest.HandleNotFound(logger).ServeHTTP(w, r)
+				return
+			}
+			if !addr.IP.IsLoopback() {
+				logger.Info("blocking request not directed to the loopback interface")
+				rest.HandleNotFound(logger).ServeHTTP(w, r)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/backend/pkg/api/routes.go b/backend/pkg/api/routes.go
@@ -207,12 +207,20 @@ func (api *API) routes() *chi.Mux {
 			r.Handle("/admin/metrics", promhttp.Handler())
 			r.Handle("/admin/health", api.handleLivenessProbe())
 			r.Handle("/admin/startup", api.handleStartupProbe())
+		})
+
+		// Debug routes
+		if api.Cfg.REST.Debug.Enabled {
+			router.Group(func(r chi.Router) {
+				api.Hooks.Route.ConfigInternalRouter(r)
+				if api.Cfg.REST.Debug.ForceLoopback {
+					r.Use(forceLoopbackMiddleware(api.Logger))
+				}
 
-			if api.Cfg.REST.Debug.Enabled {
 				// Path must be prefixed with /debug otherwise it will be overridden, see: https://golang.org/pkg/net/http/pprof/
 				r.Mount("/debug", chimiddleware.Profiler())
-			}
-		})
+			})
+		}
 
 		// API routes
 		router.Group(func(r chi.Router) {

diff --git a/backend/pkg/config/server.go b/backend/pkg/config/server.go
@@ -33,7 +33,11 @@ type Server struct {
 
 // DebugConfig contains configuration for the pprof debug handler.
 type DebugConfig struct {
+	// Enabled allows to toggle the debug endpoint.
 	Enabled bool `yaml:"enabled"`
+
+	// ForceLoopback binds the debug endpoint only to the host's loopback interface.
+	ForceLoopback bool `yaml:"forceLoopback"`
 }
 
 // SetDefaults for server config.
@@ -50,4 +54,6 @@ func (s *Server) SetDefaults() {
 	s.AllowedOrigins = nil
 	// Debug is enabled by default for backward compatibility.
 	s.Debug.Enabled = true
+	// Forcing loopback by default on debug is better security-wise.
+	s.Debug.ForceLoopback = true
 }
diff --git a/docs/config/console.yaml b/docs/config/console.yaml
@@ -231,6 +231,12 @@ kafka:
 #   # API. By default, a same-site policy is enforced to prevent CSRF-attacks.
 #   # Only in very specific deployment models you may need to change the secure default.
 #   allowedOrigins: []
+#   # Debug allows to configure the pprof debug handler options. The pprof handler is exposed
+#   # by default in the /debug path and only served through the system loopback interface,
+#   # e.g. '127.0.0.1' or '::1'.
+#   debug:
+#     enabled: true # allows to toggle the debug endpoint
+#     forceLoopback: true # binds the debug endpoint only to the host's loopback interface
 
 # logger:
 #   level: info # Valid values are: debug, info, warn, error, fatal