From 397530b1e9ebbc76a83c8c1cc08e218ce517fee0 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Wed, 1 Apr 2026 14:25:05 +0200 Subject: [PATCH] MEDIUM: stats: Hide the version by default and add stats-showversion Reverse the default, to hide the version from stats by default, and add a new keyword, "stats show-version", to enable them, as we don't want to disclose the version by default, especially on public websites. --- doc/configuration.txt | 27 ++++++++++++++++++++++++--- include/haproxy/stats-t.h | 2 +- src/cfgparse-listen.c | 7 +++++-- src/stats-html.c | 2 +- 4 files changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index a896eef04..14885de95 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6098,6 +6098,7 @@ stats scope X X X X stats show-desc X X X X stats show-legends X X X X stats show-node X X X X +stats show-version X X X X stats uri X X X X -- keyword -------------------------- defaults - frontend - listen -- backend - stick match - - X X @@ -12913,12 +12914,12 @@ stats hide-version Arguments : none - By default, the stats page reports some useful status information along with + The stats page can report some useful status information along with the statistics. Among them is HAProxy's version. However, it is generally considered dangerous to report precise version to anyone, as it can help them target known weaknesses with specific attacks. The "stats hide-version" statement removes the version from the statistics report. This is recommended - for public sites or any site with a weak login/password. + for public sites or any site with a weak login/password, and is the default. Though this statement alone is enough to enable statistics reporting, it is recommended to set all other settings in order to avoid relying on default @@ -12942,7 +12943,8 @@ stats hide-version stats uri /admin?stats stats refresh 5s - See also : "stats auth", "stats enable", "stats realm", "stats uri" + See also : "stats auth", "stats enable", "stats realm", "stats uri", + "stats show-version" stats http-request { allow | deny | auth [realm ] } @@ -13208,6 +13210,25 @@ stats show-node [ ] See also: "show-desc", "stats enable", "stats uri", and "node" in global section. +stats show-version + Enable statistics and show HAProxy version reporting + + May be used in the following contexts: http + + May be used in sections : defaults | frontend | listen | backend + yes | yes | yes | yes + + Arguments : none + + The stats page can report some useful status information along with + the statistics. Among them is HAProxy's version. However, it is generally + considered dangerous to report precise version to anyone, as it can help them + target known weaknesses with specific attacks, and so is disabled by default. + The "stats show-version" enables displaying those informations. This is not + recommanded for public sites or any site with a weak login/password. + + See also : "stats auth", "stats enable", "stats realm", "stats uri", + "stats hide-version" stats uri Enable statistics and define the URI prefix to access them diff --git a/include/haproxy/stats-t.h b/include/haproxy/stats-t.h index ffdd0b15a..8323778ce 100644 --- a/include/haproxy/stats-t.h +++ b/include/haproxy/stats-t.h @@ -37,7 +37,7 @@ #define STAT_F_CHUNKED 0x00000040 /* use chunked encoding (HTTP/1.1) */ #define STAT_F_JSON_SCHM 0x00000080 /* dump the json schema */ -#define STAT_F_HIDEVER 0x00000100 /* conf: do not report the version and reldate */ +#define STAT_F_SHOWVER 0x00000100 /* conf: report the version and reldate */ #define STAT_F_SHNODE 0x00000200 /* conf: show node name */ #define STAT_F_SHDESC 0x00000400 /* conf: show description */ #define STAT_F_SHLGNDS 0x00000800 /* conf: show legends */ diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index f63a0853d..af670e5d0 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -1976,7 +1976,10 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) if (!stats_check_init_uri_auth(&curproxy->uri_auth)) goto alloc_error; } else if (strcmp(args[1], "hide-version") == 0) { - if (!stats_set_flag(&curproxy->uri_auth, STAT_F_HIDEVER)) + if (curproxy->uri_auth) + curproxy->uri_auth->flags &= ~STAT_F_SHOWVER; + } else if (strcmp(args[1], "show-version") == 0) { + if (!stats_set_flag(&curproxy->uri_auth, STAT_F_SHOWVER)) goto alloc_error; } else if (strcmp(args[1], "show-legends") == 0) { if (!stats_set_flag(&curproxy->uri_auth, STAT_F_SHLGNDS)) @@ -2043,7 +2046,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) } } else { stats_error_parsing: - ha_alert("parsing [%s:%d]: %s '%s', expects 'admin', 'uri', 'realm', 'auth', 'scope', 'enable', 'hide-version', 'show-node', 'show-desc' or 'show-legends'.\n", + ha_alert("parsing [%s:%d]: %s '%s', expects 'admin', 'uri', 'realm', 'auth', 'scope', 'enable', 'hide-version', 'show-node', 'show-desc' , 'show-legends' or 'show-version'.\n", file, linenum, *args[1]?"unknown stats parameter":"missing keyword in", args[*args[1]?1:0]); err_code |= ERR_ALERT | ERR_FATAL; goto out; diff --git a/src/stats-html.c b/src/stats-html.c index cd9e37e9a..68790fbb9 100644 --- a/src/stats-html.c +++ b/src/stats-html.c @@ -289,7 +289,7 @@ void stats_dump_html_info(struct stconn *sc) "" "Display option:
    " "", - (ctx->flags & STAT_F_HIDEVER) ? "" : (stats_version_string), + (ctx->flags & STAT_F_SHOWVER) ? (stats_version_string) : "", pid, (ctx->flags & STAT_F_SHNODE) ? " on " : "", (ctx->flags & STAT_F_SHNODE) ? (uri->node ? uri->node : global.node) : "", (ctx->flags & STAT_F_SHDESC) ? ": " : "",