nodejs/nodebestpractices
1
0
Fork 0
mirror of https://github.com/goldbergyoni/nodebestpractices.git synced 2025-10-29 08:37:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

#187: 5.7. maintenance endpoint is dangerous when it becomes a target of DDOS

Browse Source
This commit is contained in:
Jason Kim
2018-05-29 22:35:52 -07:00
parent 30b0d11846
commit 74ef41ef69
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
sections/production/createmaintenanceendpoint.md
View File

@ -4,7 +4,7 @@
### One Paragraph Explainer
A maintenance endpoint is a plain secured HTTP API that is part of the app code and its purpose is to be used by the ops/production team to monitor and expose maintenance functionality. For example, it can return a head dump (memory snapshot) of the process, report whether there are some memory leaks and even allow to execute REPL commands directly. This endpoint is needed where the conventional DevOps tools (monitoring products, logs, etc) fails to gather some specific type of information or you choose not to buy/install such tools. The golden rule is using professional and external tools for monitoring and maintaining the production, these are usually more robust and accurate. That said, there are likely to be cases where the generic tools will fail to extract information that is specific to Node or to your app for example, should you wish to generate a memory snapshot at the moment GC completed a cycle few NPM libraries will be glad to perform this for you but popular monitoring tools will be likely to miss this functionality
A maintenance endpoint is a highly secure HTTP API that is part of the app code and its purpose is to be used by the ops/production team to monitor and expose maintenance functionality. For example, it can return a head dump (memory snapshot) of the process, report whether there are some memory leaks and even allow to execute REPL commands directly. This endpoint is needed where the conventional DevOps tools (monitoring products, logs, etc) fails to gather some specific type of information or you choose not to buy/install such tools. The golden rule is using professional and external tools for monitoring and maintaining the production, these are usually more robust and accurate. That said, there are likely to be cases where the generic tools will fail to extract information that is specific to Node or to your app for example, should you wish to generate a memory snapshot at the moment GC completed a cycle few NPM libraries will be glad to perform this for you but popular monitoring tools will be likely to miss this functionality. It is important to keep this endpoint private and accessibly only by admins because the endpoint can be a target of a DDOS attack.
<br/><br/>
@ -13,8 +13,18 @@ A maintenance endpoint is a plain secured HTTP API that is part of the app code
```javascript
var heapdump = require('heapdump');
// Check if request is authorized
function isAuthorized(req) {
// ...
}
router.get('/ops/headump', (req, res, next) => {
if (!isAuthorized(req)) {
return res.status(403).send('You are not authorized!');
}
logger.info('About to generate headump');
heapdump.writeSnapshot((err, filename) => {
console.log('headump file is ready to be sent to the caller', filename);
fs.readFile(filename, "utf-8", (err, data) => {