From 75e22c58ef15311362db510c467f213ea2828a85 Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Fri, 9 Dec 2022 14:10:08 -0800
Subject: [PATCH] Explicitly block requests to /debug/vars

---
 router/router.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/router/router.go b/router/router.go
index fdb5e9dbf..b99355635 100644
--- a/router/router.go
+++ b/router/router.go
@@ -373,11 +373,25 @@ func Start() error {
 	port := config.WebServerPort
 	ip := config.WebServerIP
 
+	// Create a custom mux handler to intercept the /debug/vars endpoint.
+	// This is a hack because Prometheus enables this endpoint by default
+	// due to its use of expvar and we do not want this exposed.
 	h2s := &http2.Server{}
+	defaultMux := h2c.NewHandler(http.DefaultServeMux, h2s)
+	m := http.NewServeMux()
+	m.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/debug/vars" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		} else {
+			defaultMux.ServeHTTP(w, r)
+		}
+	})
+
 	server := &http.Server{
 		Addr:              fmt.Sprintf("%s:%d", ip, port),
 		ReadHeaderTimeout: 4 * time.Second,
-		Handler:           h2c.NewHandler(http.DefaultServeMux, h2s),
+		Handler:           m,
 	}
 
 	log.Infof("Web server is listening on IP %s port %d.", ip, port)