summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCosta Tsaousis <costa@netdata.cloud>2023-10-16 09:39:21 +0100
committerGitHub <noreply@github.com>2023-10-16 11:39:21 +0300
commitbadb0175796f540f89ae6852918be7296d420ab7 (patch)
tree2462427168b895ae2fcb8ed462ddcd1f28051ce5
parenta81a2c7343ede6dd58db941322f8635228fca887 (diff)
registry action hello should always work (#16212)
* registry action hello should always work * update docs
Diffstat
-rw-r--r--registry/registry.c4
-rw-r--r--registry/registry.h2
-rw-r--r--web/api/web_api_v1.c14
-rw-r--r--web/server/README.md72
4 files changed, 47 insertions, 45 deletions
diff --git a/registry/registry.c b/registry/registry.c
index a2a8dd7ecb..cd33e5ca09 100644
--- a/registry/registry.c
+++ b/registry/registry.c
@@ -163,7 +163,7 @@ void registry_update_cloud_base_url() {
// ----------------------------------------------------------------------------
// public HELLO request
-int registry_request_hello_json(RRDHOST *host, struct web_client *w) {
+int registry_request_hello_json(RRDHOST *host, struct web_client *w, bool do_not_track) {
registry_json_header(host, w, "hello", REGISTRY_STATUS_OK);
if(host->node_id)
@@ -191,7 +191,7 @@ int registry_request_hello_json(RRDHOST *host, struct web_client *w) {
buffer_json_member_add_string(w->response.data, "cloud_base_url", registry.cloud_base_url);
buffer_json_member_add_string(w->response.data, "registry", registry.registry_to_announce);
- buffer_json_member_add_boolean(w->response.data, "anonymous_statistics", netdata_anonymous_statistics_enabled);
+ buffer_json_member_add_boolean(w->response.data, "anonymous_statistics", do_not_track ? false : netdata_anonymous_statistics_enabled);
buffer_json_member_add_boolean(w->response.data, "X-Netdata-Auth", true);
buffer_json_member_add_array(w->response.data, "nodes");
diff --git a/registry/registry.h b/registry/registry.h
index a572991c7e..746fe430f6 100644
--- a/registry/registry.h
+++ b/registry/registry.h
@@ -66,7 +66,7 @@ int registry_request_access_json(RRDHOST *host, struct web_client *w, char *pers
int registry_request_delete_json(RRDHOST *host, struct web_client *w, char *person_guid, char *machine_guid, char *url, char *delete_url, time_t when);
int registry_request_search_json(RRDHOST *host, struct web_client *w, char *person_guid, char *request_machine);
int registry_request_switch_json(RRDHOST *host, struct web_client *w, char *person_guid, char *machine_guid, char *url, char *new_person_guid, time_t when);
-int registry_request_hello_json(RRDHOST *host, struct web_client *w);
+int registry_request_hello_json(RRDHOST *host, struct web_client *w, bool do_not_track);
// update the registry config
void registry_update_cloud_base_url();
diff --git a/web/api/web_api_v1.c b/web/api/web_api_v1.c
index 4a0f54986c..6488640177 100644
--- a/web/api/web_api_v1.c
+++ b/web/api/web_api_v1.c
@@ -1013,11 +1013,7 @@ inline int web_client_api_request_v1_registry(RRDHOST *host, struct web_client *
#endif /* NETDATA_INTERNAL_CHECKS */
}
- if(unlikely(respect_web_browser_do_not_track_policy && web_client_has_donottrack(w))) {
- buffer_flush(w->response.data);
- buffer_sprintf(w->response.data, "Your web browser is sending 'DNT: 1' (Do Not Track). The registry requires persistent cookies on your browser to work.");
- return HTTP_RESP_BAD_REQUEST;
- }
+ bool do_not_track = respect_web_browser_do_not_track_policy && web_client_has_donottrack(w);
if(unlikely(action == 'H')) {
// HELLO request, dashboard ACL
@@ -1029,6 +1025,12 @@ inline int web_client_api_request_v1_registry(RRDHOST *host, struct web_client *
// everything else, registry ACL
if(unlikely(!web_client_can_access_registry(w)))
return web_client_permission_denied(w);
+
+ if(unlikely(do_not_track)) {
+ buffer_flush(w->response.data);
+ buffer_sprintf(w->response.data, "Your web browser is sending 'DNT: 1' (Do Not Track). The registry requires persistent cookies on your browser to work.");
+ return HTTP_RESP_BAD_REQUEST;
+ }
}
buffer_no_cacheable(w->response.data);
@@ -1079,7 +1081,7 @@ inline int web_client_api_request_v1_registry(RRDHOST *host, struct web_client *
return registry_request_switch_json(host, w, person_guid, machine_guid, machine_url, to_person_guid, now_realtime_sec());
case 'H':
- return registry_request_hello_json(host, w);
+ return registry_request_hello_json(host, w, do_not_track);
default:
buffer_flush(w->response.data);
diff --git a/web/server/README.md b/web/server/README.md
index 26084cfd54..7f445757f2 100644
--- a/web/server/README.md
+++ b/web/server/README.md
@@ -20,42 +20,42 @@ Scroll down to the `[web]` section to find the following settings.
## Settings
-| Setting | Default | Description |
-|:-------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ssl key` | `/etc/netdata/ssl/key.pem` | Declare the location of an SSL key to [enable HTTPS](#enable-httpstls-support). |
-| `ssl certificate` | `/etc/netdata/ssl/cert.pem` | Declare the location of an SSL certificate to [enable HTTPS](#enable-httpstls-support). |
-| `tls version` | `1.3` | Choose which TLS version to use. While all versions are allowed (`1` or `1.0`, `1.1`, `1.2` and `1.3`), we recommend `1.3` for the most secure encryption. If left blank, Netdata uses the highest available protocol version on your system. |
-| `tls ciphers` | `none` | Choose which TLS cipher to use. Options include `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, and `TLS_AES_128_GCM_SHA256`. If left blank, Netdata uses the default cipher list for that protocol provided by your TLS implementation. |
-| `ses max window` | `15` | See [single exponential smoothing](https://github.com/netdata/netdata/blob/master/web/api/queries/ses/README.md). |
-| `des max window` | `15` | See [double exponential smoothing](https://github.com/netdata/netdata/blob/master/web/api/queries/des/README.md). |
-| `mode` | `static-threaded` | Turns on (`static-threaded` or off (`none`) the static-threaded web server. See the [example](#disable-the-web-server) to turn off the web server and disable the dashboard. |
-| `listen backlog` | `4096` | The port backlog. Check `man 2 listen`. |
-| `default port` | `19999` | The listen port for the static web server. |
-| `web files owner` | `netdata` | The user that owns the web static files. Netdata will refuse to serve a file that is not owned by this user, even if it has read access to that file. If the user given is not found, Netdata will only serve files owned by user given in `run as user`. |
-| `web files group` | `netdata` | If this is set, Netdata will check if the file is owned by this group and refuse to serve the file if it's not. |
-| `disconnect idle clients after seconds` | `60` | The time in seconds to disconnect web clients after being totally idle. |
-| `timeout for first request` | `60` | How long to wait for a client to send a request before closing the socket. Prevents slow request attacks. |
-| `accept a streaming request every seconds` | `0` | Can be used to set a limit on how often a parent node will accept streaming requests from child nodes in a [streaming and replication setup](https://github.com/netdata/netdata/blob/master/streaming/README.md). |
-| `respect do not track policy` | `no` | If set to `yes`, Netdata will respect the user's browser preferences for [Do Not Track](https://www.eff.org/issues/do-not-track) (DNT) and storing cookies. If DNT is _enabled_ in the browser, and this option is set to `yes`, users will not be able to sign in to Netdata Cloud via their local Agent dashboard, and their node will not connect to any [registry](https://github.com/netdata/netdata/blob/master/registry/README.md). For certain browsers, users must disable DNT and change this option to `yes` for full functionality. |
-| `x-frame-options response header` | ` ` | Avoid [clickjacking attacks](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options), by ensuring that the content is not embedded into other sites. |
-| `allow connections from` | `localhost *` | Declare which IP addresses or full-qualified domain names (FQDNs) are allowed to connect to the web server, including the [dashboard](https://github.com/netdata/netdata/blob/master/docs/category-overview-pages/accessing-netdata-dashboards.md) or [HTTP API](https://github.com/netdata/netdata/blob/master/web/api/README.md). This is a global setting with higher priority to any of the ones below. |
-| `allow connections by dns` | `heuristic` | See the [access list examples](#access-lists) for details on using `allow` settings. |
-| `allow dashboard from` | `localhost *` | |
-| `allow dashboard by dns` | `heuristic` | |
-| `allow badges from` | `*` | |
-| `allow badges by dns` | `heuristic` | |
-| `allow streaming from` | `*` | |
-| `allow streaming by dns` | `heuristic` | |
-| `allow netdata.conf` | `localhost fd* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* UNKNOWN` | |
-| `allow netdata.conf by dns` | `no` | |
-| `allow management from` | `localhost` | |
-| `allow management by dns` | `heuristic` | |
-| `enable gzip compression` | `yes` | When set to `yes`, Netdata web responses will be GZIP compressed, if the web client accepts such responses. |
-| `gzip compression strategy` | `default` | Valid settings are `default`, `filtered`, `huffman only`, `rle` and `fixed`. |
-| `gzip compression level` | `3` | Valid settings are 1 (fastest) to 9 (best ratio). |
-| `web server threads` | ` ` | How many processor threads the web server is allowed. The default is system-specific, the minimum of `6` or the number of CPU cores. |
-| `web server max sockets` | ` ` | Available sockets. The default is system-specific, automatically adjusted to 50% of the max number of open files Netdata is allowed to use (via `/etc/security/limits.conf` or systemd), to allow enough file descriptors to be available for data collection. |
-| `custom dashboard_info.js` | ` ` | Specifies the location of a custom `dashboard.js` file. See [customizing the standard dashboard](https://github.com/netdata/netdata/blob/master/docs/dashboard/customize.md#customize-the-standard-dashboard) for details. |
+| Setting | Default | Description |
+|:-------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ssl key` | `/etc/netdata/ssl/key.pem` | Declare the location of an SSL key to [enable HTTPS](#enable-httpstls-support). |
+| `ssl certificate` | `/etc/netdata/ssl/cert.pem` | Declare the location of an SSL certificate to [enable HTTPS](#enable-httpstls-support). |
+| `tls version` | `1.3` | Choose which TLS version to use. While all versions are allowed (`1` or `1.0`, `1.1`, `1.2` and `1.3`), we recommend `1.3` for the most secure encryption. If left blank, Netdata uses the highest available protocol version on your system. |
+| `tls ciphers` | `none` | Choose which TLS cipher to use. Options include `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, and `TLS_AES_128_GCM_SHA256`. If left blank, Netdata uses the default cipher list for that protocol provided by your TLS implementation. |
+| `ses max window` | `15` | See [single exponential smoothing](https://github.com/netdata/netdata/blob/master/web/api/queries/ses/README.md). |
+| `des max window` | `15` | See [double exponential smoothing](https://github.com/netdata/netdata/blob/master/web/api/queries/des/README.md). |
+| `mode` | `static-threaded` | Turns on (`static-threaded` or off (`none`) the static-threaded web server. See the [example](#disable-the-web-server) to turn off the web server and disable the dashboard. |
+| `listen backlog` | `4096` | The port backlog. Check `man 2 listen`. |
+| `default port` | `19999` | The listen port for the static web server. |
+| `web files owner` | `netdata` | The user that owns the web static files. Netdata will refuse to serve a file that is not owned by this user, even if it has read access to that file. If the user given is not found, Netdata will only serve files owned by user given in `run as user`. |
+| `web files group` | `netdata` | If this is set, Netdata will check if the file is owned by this group and refuse to serve the file if it's not. |
+| `disconnect idle clients after seconds` | `60` | The time in seconds to disconnect web clients after being totally idle. |
+| `timeout for first request` | `60` | How long to wait for a client to send a request before closing the socket. Prevents slow request attacks. |
+| `accept a streaming request every seconds` | `0` | Can be used to set a limit on how often a parent node will accept streaming requests from child nodes in a [streaming and replication setup](https://github.com/netdata/netdata/blob/master/streaming/README.md). |
+| `respect do not track policy` | `no` | If set to `yes`, Netdata will respect the user's browser preferences for [Do Not Track](https://www.eff.org/issues/do-not-track) (DNT) and storing cookies. If DNT is _enabled_ in the browser, and this option is set to `yes`, nodes will not connect to any [registry](https://github.com/netdata/netdata/blob/master/registry/README.md). For certain browsers, users must disable DNT and change this option to `yes` for full functionality. |
+| `x-frame-options response header` | ` ` | Avoid [clickjacking attacks](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options), by ensuring that the content is not embedded into other sites. |
+| `allow connections from` | `localhost *` | Declare which IP addresses or full-qualified domain names (FQDNs) are allowed to connect to the web server, including the [dashboard](https://github.com/netdata/netdata/blob/master/docs/category-overview-pages/accessing-netdata-dashboards.md) or [HTTP API](https://github.com/netdata/netdata/blob/master/web/api/README.md). This is a global setting with higher priority to any of the ones below. |
+| `allow connections by dns` | `heuristic` | See the [access list examples](#access-lists) for details on using `allow` settings. |
+| `allow dashboard from` | `localhost *` | |
+| `allow dashboard by dns` | `heuristic` | |
+| `allow badges from` | `*` | |
+| `allow badges by dns` | `heuristic` | |
+| `allow streaming from` | `*` | |
+| `allow streaming by dns` | `heuristic` | |
+| `allow netdata.conf` | `localhost fd* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* UNKNOWN` | |
+| `allow netdata.conf by dns` | `no` | |
+| `allow management from` | `localhost` | |
+| `allow management by dns` | `heuristic` | |
+| `enable gzip compression` | `yes` | When set to `yes`, Netdata web responses will be GZIP compressed, if the web client accepts such responses. |
+| `gzip compression strategy` | `default` | Valid settings are `default`, `filtered`, `huffman only`, `rle` and `fixed`.