-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[metrics-1] added basic metrics #445
Conversation
👋 Thank you for contributing. A staging environment for this PR for this change will be available shortly |
This opens us up to a trivial DOS possiblity ⇒ is thus unaceptable This gives me the motivation needed to look if migrating to rocket and https://github.com/sd2k/rocket_prometheus is a better plan of action (this repo does not open us up to this vulnerability and has lazy instantiation for custom metrics) |
👋 Thank you for contributing. A staging environment for this PR for this change will be available shortly |
I have checked out rocket and the features. I have checked if this is really exploitable and have come to this conclusion: I have looked into, if we can provide a patch to nlopes/actix-web-prom or atomix-team/actix-web-prometheus: This is not possible due to the architecture of actix (what routes are available is not exposed to middlewares as far as I can tell) Furthermore, the impact of this is, that Prometheus gets taken offline ⇒ this is picked up by Grafana ⇒ we are alerted and could fix this Thus, while not being ideal, I think this is a barely acceptabe risk (I am obviously not happy, but this will work) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a typo but apart from that seems all good. If I understand this correctly, including the Cargo.lock
files is better. I was not sure about that.
Since we do not store permanent data in any service that cannot be reretrived, I only see a risk of downtime but no data loss in the case someone tries to spam our metrics until storage space runs out.
Co-authored-by: octycs <octycs@users.noreply.github.com>
Adds these mertics:
/api/get/
) has been requested (2 Categories: Bot Traffic/Human Traffic)/api/legacy_redirect/
) has been requestedFrom #440
Proposed Changes (include Screenshots if possible)
added the following metrics:
navigatum_APPNAME_incoming_requests
(labels: endpoint, method, status): the total number of HTTP requests handled by the actix HttpServer.navigatum_APPNAME_response_code
(labels: endpoint, method, statuscode, type): Response codes of all HTTP requests handled by the actix HttpServer.navigatum_APPNAME_response_time
(labels: endpoint, method, status): Total the request duration of all HTTP requests handled by the actix HttpServer.How to test this PR
How has this been tested?
Checklist: