[REL-961] Close Grafana port from outside access#1204
Merged
marcleblanc2 merged 2 commits intomainfrom May 9, 2025
Merged
Conversation
marcleblanc2
changed the title
DaedalusG
approved these changes
May 9, 2025
Contributor
DaedalusG
left a comment
DaedalusG
left a comment
There was a problem hiding this comment.
I did a review and this looks good to me, I haven't tried a deploy of these changes myself, but I trust your test. I actually think this is a better design in general 👍🏼
Might want to run it by security but I think having people have to auth through the frontend to look at the grafana makes more sense than leaving exposed as a side car on the host machine.
Final thought is just that hopefully we dont have any on prem people who have some odd configuration relying on this. Might be worth a note in the deployment type upgrade notes for docker-compose
MaedahBatool
added a commit
to sourcegraph/docs
that referenced
this pull request
Jun 24, 2025
…ents (#1129) <!-- Explain the changes introduced in your PR --> Add note about closing Grafana port 3370 by default on Docker deployments, as per sourcegraph/deploy-sourcegraph-docker#1204 ## Pull Request approval You will need to get your PR approved by at least one member of the Sourcegraph team. For reviews of docs formatting, styles, and component usage, please tag the docs team via the #docs Slack channel. Co-authored-by: Maedah Batool <me@MaedahBatool.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
REL-961 Review Docker Compose file for Grafana port exposure security
Is there any particular reason why we have the Grafana port 3370 open for side channel access? It seems like it's been open since Grafana was first bundled with the product in 51ca079, even though the reverse proxy was implemented at about the same time, in https://github.com/sourcegraph/sourcegraph/commit/939b612fb319f6563116f4bcd5814dc486f78361
I suggest we close the side channel access, to reduce exposure for customers running the Airgapped Analytics dashboard.
Also, fixed a broken port number in sourcegraph-frontend-internal's config for the Grafana URL, which has been broken since f6f8d8d, so probably not used.
Checklist
Test plan
Tested on test instance, frontend still proxies the connection to Grafana as needed, without side channel access