Miniflux
Metrics endpoint changes should be marked more clearly as breaking changes for reverse proxies #1865
danpoltawski
started this conversation in
General
Metrics endpoint changes should be marked more clearly as breaking changes for reverse proxies
#1865
Replies: 1 comment
-
|
This change was necessary to fix CVE-2023-27591. There are more details in the v2.0.43 release notes. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The changelog entry about #1745 did not alert me to the fact it would break access behind a trusted reverse proxy.
Additionally as the 'unauthorized' response is a
404it was not immediately obvious what had gone wrong.In order to quickly remedy the situation you need to do
METRICS_ALLOWED_NETWORKS=0.0.0.0/0(or the range of trusted reverse proxy) as the default value is127.0.0.1. (Then also implement the ACL on your reverse proxy)While I don't necessarily disagree with this change, it came as a surprise (and my reverse proxy won't allowed spoofed forwarded headers so previous behaviour was fine for me)
Beta Was this translation helpful? Give feedback.
All reactions