From 0b1dd5cf3552f408074298454eb21d053ec59f21 Mon Sep 17 00:00:00 2001
From: Till Faelligen <tfaelligen@gmail.com>
Date: Fri, 11 Oct 2019 10:07:07 +0200
Subject: [PATCH] Add warning message if metrics are exposed without protection

---
 common/httpapi.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/httpapi.go b/common/httpapi.go
index 6f1274b5a..1be05c9d1 100644
--- a/common/httpapi.go
+++ b/common/httpapi.go
@@ -13,6 +13,7 @@ import (
 	"github.com/opentracing/opentracing-go/ext"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/sirupsen/logrus"
 )
 
 // BasicAuth is used for authorization on /metrics handlers
@@ -125,6 +126,9 @@ func SetupHTTPAPI(servMux *http.ServeMux, apiMux http.Handler, cfg *config.Dendr
 
 // WrapHandlerInBasicAuth adds basic auth to a handler. Only used for /metrics
 func WrapHandlerInBasicAuth(h http.Handler, b BasicAuth) http.HandlerFunc {
+	if b.Username == "" || b.Password == "" {
+		logrus.Info("Metrics are exposed without protection. Make sure you set up protection at proxy level.")
+	}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Serve without authorization if either Username or Password is unset
 		if b.Username == "" || b.Password == "" {