MEDIUM: stats: Hide the version by default and add stats-showversion

Reverse the default, to hide the version from stats by default, and add a new keyword, "stats show-version", to enable them, as we don't want to disclose the version by default, especially on public websites.
2026-04-02 09:31:01 +02:00 · 2026-04-01 14:25:05 +02:00 · 2026-04-01 14:25:05 +02:00 · 397530b1e9
commit 397530b1e9
parent 7c73b08a98
4 changed files with 31 additions and 7 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6098,6 +6098,7 @@ stats scope                               X          X         X         X
 stats show-desc                           X          X         X         X
 stats show-legends                        X          X         X         X
 stats show-node                           X          X         X         X
+stats show-version                        X          X         X         X
 stats uri                                 X          X         X         X
 -- keyword -------------------------- defaults - frontend - listen -- backend -
 stick match                               -          -         X         X
@ -12913,12 +12914,12 @@ stats hide-version

  Arguments : none

-  By default, the stats page reports some useful status information along with
+  The stats page can report some useful status information along with
  the statistics. Among them is HAProxy's version. However, it is generally
  considered dangerous to report precise version to anyone, as it can help them
  target known weaknesses with specific attacks. The "stats hide-version"
  statement removes the version from the statistics report. This is recommended
-  for public sites or any site with a weak login/password.
+  for public sites or any site with a weak login/password, and is the default.

  Though this statement alone is enough to enable statistics reporting, it is
  recommended to set all other settings in order to avoid relying on default
@ -12942,7 +12943,8 @@ stats hide-version
        stats uri     /admin?stats
        stats refresh 5s

-  See also : "stats auth", "stats enable", "stats realm", "stats uri"
+  See also : "stats auth", "stats enable", "stats realm", "stats uri",
+             "stats show-version"


 stats http-request { allow | deny | auth [realm <realm>] }
@ -13208,6 +13210,25 @@ stats show-node [ <name> ]
  See also: "show-desc", "stats enable", "stats uri", and "node" in global
            section.

+stats show-version
+  Enable statistics and show HAProxy version reporting
+
+  May be used in the following contexts: http
+
+  May be used in sections :   defaults | frontend | listen | backend
+                                 yes   |    yes   |   yes  |   yes
+
+  Arguments : none
+
+  The stats page can report some useful status information along with
+  the statistics. Among them is HAProxy's version. However, it is generally
+  considered dangerous to report precise version to anyone, as it can help them
+  target known weaknesses with specific attacks, and so is disabled by default.
+  The "stats show-version" enables displaying those informations. This is not
+  recommanded for public sites or any site with a weak login/password.
+
+  See also : "stats auth", "stats enable", "stats realm", "stats uri",
+             "stats hide-version"

 stats uri <prefix>
  Enable statistics and define the URI prefix to access them
--- a/include/haproxy/stats-t.h
+++ b/include/haproxy/stats-t.h
@ -37,7 +37,7 @@
 #define STAT_F_CHUNKED    0x00000040    /* use chunked encoding (HTTP/1.1) */
 #define STAT_F_JSON_SCHM  0x00000080    /* dump the json schema */

-#define STAT_F_HIDEVER    0x00000100    /* conf: do not report the version and reldate */
+#define STAT_F_SHOWVER    0x00000100    /* conf: report the version and reldate */
 #define STAT_F_SHNODE     0x00000200    /* conf: show node name */
 #define STAT_F_SHDESC     0x00000400    /* conf: show description */
 #define STAT_F_SHLGNDS    0x00000800    /* conf: show legends */
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@ -1976,7 +1976,10 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 			if (!stats_check_init_uri_auth(&curproxy->uri_auth))
 				goto alloc_error;
 		} else if (strcmp(args[1], "hide-version") == 0) {
-			if (!stats_set_flag(&curproxy->uri_auth, STAT_F_HIDEVER))
+			if (curproxy->uri_auth)
+				curproxy->uri_auth->flags &= ~STAT_F_SHOWVER;
+		} else if (strcmp(args[1], "show-version") == 0) {
+			if (!stats_set_flag(&curproxy->uri_auth, STAT_F_SHOWVER))
 				goto alloc_error;
 		} else if (strcmp(args[1], "show-legends") == 0) {
 			if (!stats_set_flag(&curproxy->uri_auth, STAT_F_SHLGNDS))
@ -2043,7 +2046,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 			}
 		} else {
 stats_error_parsing:
-			ha_alert("parsing [%s:%d]: %s '%s', expects 'admin', 'uri', 'realm', 'auth', 'scope', 'enable', 'hide-version', 'show-node', 'show-desc' or 'show-legends'.\n",
+			ha_alert("parsing [%s:%d]: %s '%s', expects 'admin', 'uri', 'realm', 'auth', 'scope', 'enable', 'hide-version', 'show-node', 'show-desc' , 'show-legends' or 'show-version'.\n",
 				 file, linenum, *args[1]?"unknown stats parameter":"missing keyword in", args[*args[1]?1:0]);
 			err_code |= ERR_ALERT | ERR_FATAL;
 			goto out;
--- a/src/stats-html.c
+++ b/src/stats-html.c
@ -289,7 +289,7 @@ void stats_dump_html_info(struct stconn *sc)
 	              "<td align=\"left\" valign=\"top\" nowrap width=\"1%%\">"
 	              "<b>Display option:</b><ul style=\"margin-top: 0.25em;\">"
 	              "",
-	              (ctx->flags & STAT_F_HIDEVER) ? "" : (stats_version_string),
+	              (ctx->flags & STAT_F_SHOWVER) ? (stats_version_string) : "",
 	              pid, (ctx->flags & STAT_F_SHNODE) ? " on " : "",
 		      (ctx->flags & STAT_F_SHNODE) ? (uri->node ? uri->node : global.node) : "",
 	              (ctx->flags & STAT_F_SHDESC) ? ": " : "",