From 7f11029b1a5d9bd6d8565e1c6d705d1aecbf9210 Mon Sep 17 00:00:00 2001
From: Dominik Hebeler <dominik@suma-ev.de>
Date: Wed, 26 May 2021 11:03:12 +0200
Subject: [PATCH] disallow public access to metrics endpoint

---
 routes/web.php | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/routes/web.php b/routes/web.php
index eb81c6e64..18be3329a 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -3,6 +3,7 @@
 use Illuminate\Support\Facades\Redis;
 use Jenssegers\Agent\Agent;
 use Prometheus\RenderTextFormat;
+use Illuminate\Http\Request;
 
 /*
 |--------------------------------------------------------------------------
@@ -320,7 +321,27 @@ Route::group(
             });
         });
 
-        Route::get('metrics', function () {
+        Route::get('metrics', function (Request $request) {
+            // Only allow access to metrics from within our network
+            $ip = $request->ip();
+            $allowedNetworks = [
+                "10.",
+                "172.",
+                "192.",
+                "127.0.0.1",
+            ];
+
+            $allowed = false;
+            foreach($allowedNetworks as $part){
+                if(stripos($ip, $part) === 0){
+                    $allowed = true;
+                }
+            }
+
+            if(!$allowed){
+                abort(401);
+            }
+            
             $registry = \Prometheus\CollectorRegistry::getDefault();
 
             $renderer = new RenderTextFormat();
-- 
GitLab