bryancall commented on issue #8176:
URL: https://github.com/apache/trafficserver/issues/8176#issuecomment-4827449241

   This is working as designed rather than a bug. The stats_over_http plugin is 
a global plugin that adds a TS_HTTP_READ_REQUEST_HDR hook and serves the stats 
response itself through a transaction intercept. That interception runs before 
remap.config is evaluated, so remap rules (including @action=deny) never apply 
to the stats path. On current master the plugin even explicitly skips remapping 
for the stats request. Access control for the endpoint is meant to be done with 
the plugin's own settings, the allow_ip and allow_ip6 options in the plugin 
config file (or an ip_allow.yaml rule), which is exactly the approach you found 
working. Since that is the intended way to restrict the endpoint and there is 
no further activity, I am closing this. Please reopen if the documented 
allow_ip filtering does not behave as expected.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to