From f137702f238f55e70e4d39d99b44e4a1db07b0bf Mon Sep 17 00:00:00 2001
From: Alberto Bertogli <albertito@blitiri.com.ar>
Date: Fri, 11 Jun 2021 23:29:52 +0100
Subject: [PATCH] trace: Remove restriction on tracing pages

By default, golang.org/x/net/trace currently only allows the tracing
pages to be seen from localhost.

This restriction can be confusing for people accessing the monitoring
server remotely, and adds no value in our environment.

The monitoring server already exports very sensitive information, and
must be enabled with care, and is not on by default. This is well
documented.

This patch removes the restriction, making all the monitoring pages
equally accessible.
---
 internal/trace/trace.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/trace/trace.go b/internal/trace/trace.go
index 84880c9..8dc9411 100644
--- a/internal/trace/trace.go
+++ b/internal/trace/trace.go
@@ -3,6 +3,7 @@ package trace
 
 import (
 	"fmt"
+	"net/http"
 	"strconv"
 
 	"blitiri.com.ar/go/log"
@@ -10,6 +11,15 @@ import (
 	nettrace "golang.org/x/net/trace"
 )
 
+func init() {
+	// golang.org/x/net/trace has its own authorization which by default only
+	// allows localhost. This can be confusing and limiting in environments
+	// which access the monitoring server remotely.
+	nettrace.AuthRequest = func(req *http.Request) (any, sensitive bool) {
+		return true, true
+	}
+}
+
 // A Trace represents an active request.
 type Trace struct {
 	family string