Disabling Swagger pages in PMM

Can the Swagger UI Pages and API endpoints exposed by PMM v2.x be disabled for use or access (i.e. these API endpoints should only be accessible by the PMM app components as a server-to-server communication, and not called manually by user or via Swagger UI), as they pose an additional attack surface area for malicious users from security standpoint?

May I know how can we do so?

Reference: API - Percona Monitoring and Management

Thank you!

1 Like

Swagger can be disabled in /etc/nginx/conf.d/pmm.conf. Be aware that files in /etc are replaced in certain upgrade situations so anything you change in there should be part of your post-upgrade checks to make sure something isn’t re-enabled if there is a significant enough change in nginx version.

You could also do this to the API but many of these API’s are leveraged by pmm-client for adding nodes, polling for status etc so may break things. It may be better to limit access to ip ranges instead of disabling.

1 Like