hey,
<ServerHTTP>
PageNotFoundHook file:"stats.pl"
</ServerHTTP>
That's an interesting idea. As you mentioned below, ServerHTTP has a
number of setting to control login and login privileges. I would check
those and possible restrict with host based, and/or, other firewalls the
access to port configured for ServerHTTP.
I didn't find any drawbacks after going through the code. We will roll
with "DefaultPrivilegeLevel 0" and no AuthBy statements at all.
Only downside/issue I found is if you access /login directly and post
the login form (that creates internal radius request), the whole
ServerHTTP will stay in a state where every request gets redirected to
/login (including the PageNotFoundHook). This obviously makes the
/metrics endpoint useless.
In our case it's not a big issue because ServerHTTP is reachable from
very limited sources (but includes 127.0.0.1) and it doesn't influence
the actual radius service. Missing metrics we catch via monitoring
anyway. So I didn't investigate further.
--
tarko
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
