Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grafana started to listen globally by default instead of only on localhost (22.05 -> 22.11) #207769

Closed
herbetom opened this issue Dec 26, 2022 · 2 comments · Fixed by #207913
Closed

grafana started to listen globally by default instead of only on localhost (22.05 -> 22.11) #207769

herbetom opened this issue Dec 26, 2022 · 2 comments · Fixed by #207913
Assignees
@SuperSandro2000

Comments

@herbetom
Copy link
Member

herbetom commented Dec 26, 2022
edited
Loading

Issue description

#191768 changed on which address Grafana listens by default. Previously (under 22.05) it was localhost only and it was necessary to explicitly adjust this if so desired. Now (with 22.11) Grafana is listening on all IPs.

Previously:

nixpkgs/nixos/modules/services/monitoring/grafana.nix

Lines 293 to 297 in 79e63f3

addr = mkOption {
description = "Listening address.";
default = "127.0.0.1";
type = types.str;
}; 

[root@stats:~]# ss -tlnp | grep -E "State|grafana"
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                                  
LISTEN 0      4096       127.0.0.1:3000      0.0.0.0:*    users:(("grafana-server",pid=774,fd=8))

New default is to listen on all IPs:

nixpkgs/nixos/modules/services/monitoring/grafana.nix

Lines 366 to 370 in becdf0e

http_addr = mkOption {
description = lib.mdDoc "Listening address.";
default = "";
type = types.str;
}; 

[root@stats:~]# ss -tlnp | grep -E "State|grafana"
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                                     
LISTEN 0      4096               *:3000            *:*    users:(("grafana-server",pid=286547,fd=11))

Without enabled (and properly configured) firewall this could result in situations where people are exposing their Grafana installation unintentionally.

@offline @fpletz @WilliButz @globin @Ma27 @Frostman @KFearsoff

Technical details

[root@stats:~]# nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.77, NixOS, 22.11 (Raccoon), 22.11.1137.dac57a4eccf`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.1`
 - channels(root): `"nixos-22.11"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Dec 27, 2022
edited
Loading

Without enabled (and properly configured) firewall this could result in situations where people are exposing their Grafana installation unintentionally.

but the default settings should suffice to catch this, right?

This also matches the upstream grafana default https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#http_addr

@SuperSandro2000 SuperSandro2000 self-assigned this Dec 27, 2022
@SuperSandro2000 SuperSandro2000 mentioned this issue Dec 27, 2022
Merged
13 tasks
@herbetom
Copy link
Member Author

but the default settings should suffice to catch this, right?

Yes, I would think so. Therefore not really dramatic in most cases.

SuperSandro2000 added a commit that referenced this issue Dec 29, 2022
@SuperSandro2000
Merge pull request #207913 from SuperSandro2000/grafana-localhost
2c42141 
Closes #207769
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SuperSandro2000 SuperSandro2000

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/grafana: listen on localhost by default (again) SuperSandro2000/nixpkgs
2 participants
@SuperSandro2000 @herbetom