matched.
The admin level allows to enable/disable servers from the web interface. By
- default, statistics page is read-only for security reasons.
+ default, statistics page is read-only for security reasons. If "stats scope"
+ directives are set in the section, then only proxies designated by these
+ directives will accept state changes; access to other ones will be denied.
Currently, the POST request is limited to the buffer size minus the reserved
buffer space, which means that if the list of servers is too long, the
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
- See also : "stats enable", "stats auth", "stats http-request", section 12.2
- about userlists and section 7 about ACL usage.
+ See also : "stats enable", "stats auth", "stats http-request", "stats scope",
+ section 12.2 about userlists and section 7 about ACL usage.
ssl-f-use [<sslbindconf> ...]*
Assignate a certificate to the current frontend.
section in which the statement appears.
When this statement is specified, only the sections enumerated with this
- statement will appear in the report. All other ones will be hidden. This
- statement may appear as many times as needed if multiple sections need to be
- reported. Please note that the name checking is performed as simple string
- comparisons, and that it is never checked that a give section name really
- exists.
+ statement will appear in the report. All other ones will be hidden, and
+ attempts to change their state in admin mode will be rejected. This statement
+ may appear as many times as needed if multiple sections need to be reported.
+ Please note that the name checking is performed as simple string comparisons,
+ and that it is never checked that a give section name really exists.
Though this statement alone is enough to enable statistics reporting, it is
recommended to set all other settings in order to avoid relying on default
stats uri /admin?stats
stats refresh 5s
- See also : "stats auth", "stats enable", "stats realm", "stats uri"
+ See also : "stats auth", "stats enable", "stats realm", "stats uri" and
+ "stats admin"
stats show-desc [ <desc> ]
#include <haproxy/pipe.h>
#include <haproxy/proxy.h>
#include <haproxy/stats.h>
+#include <haproxy/stats-proxy.h>
#include <haproxy/stconn.h>
#include <haproxy/server.h>
#include <haproxy/task.h>
/* Now we can check the key to see what to do */
if (!px && (strcmp(key, "b") == 0)) {
- if ((px = proxy_be_by_name(value)) == NULL) {
+ /* we need to lookup the proxy because its name
+ * may be a real name ("pub") or numeric ("#4").
+ */
+ px = proxy_be_by_name(value);
+
+ /* now we have two possibilities:
+ * - if the are "stats scope" rules, a non-existing
+ * proxy or a forbidden one are the same, we return
+ * a deny because a non-existing name cannot match
+ * a scope rule and we don't want to disclose the
+ * existence of a given name.
+ * - without "stats scope" rules, we just return
+ * not found.
+ */
+ if (ctx->http_px->uri_auth && ctx->http_px->uri_auth->scope) {
+ if (!px || !stats_proxy_in_scope(px, ctx->http_px->uri_auth, ctx->http_px)) {
+ /* "stats scope" rules do not permit to access this proxy name */
+ ctx->st_code = STAT_STATUS_DENY;
+ goto out;
+ }
+ }
+
+ if (!px) {
/* the backend name is unknown or ambiguous (duplicate names) */
ctx->st_code = STAT_STATUS_ERRP;
goto out;