Add Prometheus hostname to list of allowed hosts. (#724)

bgravenorst · web-flow · commit 8062fcbc1f88 · 2021-06-01T14:04:14.000+10:00
* Rename whitelist to allowlist.

Signed-off-by: Byron Gravenorst &lt;byron.gravenorst@consensys.net&gt;

* Additional updates.

Signed-off-by: Byron Gravenorst &lt;byron.gravenorst@consensys.net&gt;

* Whitelist renaming.

Signed-off-by: Byron Gravenorst &lt;byron.gravenorst@consensys.net&gt;

* Address reviewer feedback.

Signed-off-by: Byron Gravenorst &lt;byron.gravenorst@consensys.net&gt;

* Fix typos.

Signed-off-by: Byron Gravenorst &lt;byron.gravenorst@consensys.net&gt;

* Add Prometheus endpoint to list of allowed hosts.

Signed-off-by: bgravenorst &lt;byron.gravenorst@consensys.net&gt;

* Address reviewer feedback.

Signed-off-by: bgravenorst &lt;byron.gravenorst@consensys.net&gt;
diff --git a/docs/HowTo/Monitor/Metrics.md b/docs/HowTo/Monitor/Metrics.md
@@ -89,6 +89,15 @@ To configure Prometheus and run with Besu:
    [`--metrics-enabled`](../../Reference/CLI/CLI-Syntax.md#metrics-enabled) option. To start a
    single node for testing with metrics enabled:
 
+    !!! important
+
+        To avoid DNS rebinding attacks, if running Prometheus on a different host to your Besu node
+        (any host other than `localhost`), ensure you add the hostname that Prometheus uses to
+        connect to Besu to [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist).
+
+        For example, if Prometheus is configured to get metrics from `http://besu.local:8008/metrics`
+        then `besu.local` has to be in `--host-allowlist`.
+
     === "Command syntax"
 
         ```bash
@@ -104,7 +113,7 @@ To configure Prometheus and run with Besu:
     To specify the host and port on which Prometheus accesses Besu, use the
     [`--metrics-host`](../../Reference/CLI/CLI-Syntax.md#metrics-host) and
     [`--metrics-port`](../../Reference/CLI/CLI-Syntax.md#metrics-port) options. The default host
-    and port are 127.0.0.1 and 9545.
+    and port are 127.0.0.1 (`localhost`) and 9545.
 
 1. In another terminal, run Prometheus specifying the `prometheus.yml` file:
 
diff --git a/docs/Reference/CLI/CLI-Syntax.md b/docs/Reference/CLI/CLI-Syntax.md
@@ -613,8 +613,9 @@ Show the help message and exit.
     host-allowlist=["medomain.com", "meotherdomain.com"]
     ```
 
-A comma-separated list of hostnames to allow
-[access to the JSON-RPC API](../../HowTo/Interact/APIs/Using-JSON-RPC-API.md#host-allowlist). By
+A comma-separated list of hostnames to
+[access to the JSON-RPC API](../../HowTo/Interact/APIs/API.md#host-allowlist) and
+[pull Besu metrics](../../HowTo/Monitor/Metrics.md). By
 default, Besu accepts access from `localhost` and `127.0.0.1`.
 
 !!!note
