This message was deleted.
# generals
Slackbot
03/02/2023, 6:20 PMThis message was deleted.
🙌 1
v
Vishal Sharma
03/02/2023, 6:23 PMThere’s already an issue open for this. You can follow it: https://github.com/SigNoz/signoz/issues/1254
cc: @Ankit Nayan Will this be prioritized in upcoming weeks?
m
Marc d'Entremont
03/02/2023, 6:50 PMHi @Vishal Sharma
Thanks for the reply
I was think more about telemetry coming from web browsers. I think the article link in the issue https://medium.com/opentelemetry/securing-your-opentelemetry-collector-1a4f9fa5bd6f is for an OTel agent connecting to with the collector. I would expect that viable within a k8s cluster, but not so viable for web browsers
a
Ankit Nayan
03/02/2023, 7:41 PM
@Marc d'Entremont great that you brought that up. What security measures you think should be added to enable safe frontend to otel-collector communication? A few in mind are:
• Client Authorisation using API_KEY
• HTTPS
• CSRF protection
• CORS handling
Ankit Nayan
03/02/2023, 7:42 PM
Have you been able to enable distributed tracing of backend services with SigNoz and looking to add tracing from frontend too?
m
Marc d'Entremont
03/02/2023, 9:09 PMI think those approaches to security are the best we can do. I have SigNoz working locally at this point, but I’m hoping for a good solution for avoid abuse before looking at deploying on the Internet.
Marc d'Entremont
03/02/2023, 9:10 PMI wonder what happens thousands of erroneous traces get to the collector
a
Ankit Nayan
03/03/2023, 4:35 AM
I understand the concerns for adding tracing to browsers as they would be talking to publicly exposed collectors. I think we should be prioritising this and pick up very soon. Till then you can keep exploring SigNoz without exposing SigNoz to the internet 🙂
s
Srikanth Chekuri
03/03/2023, 5:11 AMWhile these measures help, the rouge actors can still act bad. In case of API_KEY/SECRET_KEY they can visit your app and copy the values. I am not sure if there is truly attack free system possible if you want to make it accessible from the public internet.
m
Marc d'Entremont
03/04/2023, 9:44 PMI’m thinking that one approach could be to buffer traces, logs, metrics in the browser until the user authenticates. I know that this would not be appropriate for some web apps, e.g. where user’s do not login, but in many cases it seems like a good approach. In scenarios where a user has a cookie already set it would not need to be buffered, but in reality a little buffering is likely a good thing.
There would need to be limits placed to avoid buffering too much data and either a rolling window of data to remove the oldest data as the buffer becomes full, or stop adding data after a certain point.
a
Ankit Nayan
03/05/2023, 7:34 AM
I think OpenTelemetry sdks already do have buffers to batch data and send but that is unrelated to auth atleast in their case
✅ 1
17 Views