Upcoming Deprecation of HTTP Endpoints

crichard 2017-01-09 18:37:19 UTC #1

We have recieved a 2nd notice on the deprecation of the http endpoints and the email stated that we still have requests going to plain http endpoints. However when I click the link provided in the email to see the request made within the last hour there are no request.

Is there a way we can see request older than an hour to be able to determine what systems have made these request and fix the URL before the deprecation deadline?

crichard 2017-01-10 23:27:57 UTC #2

Any update on this issue?

Limey 2017-01-11 00:10:00 UTC #3

While there isn't a convenient way to give you a longer time frame, I checked your account (for rpx* ) for the last 2 weeks and there was no usage of "http" via the API.

crichard 2017-01-11 18:14:08 UTC #4

Ok, so do you know why we received an email from NewRelic support stating that they were still seeing traffic over http and this was the 2nd notice to make the change to https?

See email content below:

Dear customer,

This is a second notice on this issue as we are still seeing activity from your account to the endpoints we will soon be deprecating.

In order to better protect the security of your data, New Relic is updating our REST API to require HTTPS, specifically Transport Layer Security (TLS), for every API endpoint. All API endpoints are currently available through HTTPS, but we will be requiring it by April 30, 2017.

Why are we making this change?

Every incoming API request requires your API key, which helps to prevent other users from being able to see your data. Most of the API requests we serve are made over HTTPS, meaning that the transmission of the API key is encrypted.

A few requests, however, arrive over plain HTTP. When using HTTP, there is some risk that your transmission, including API key, could be intercepted between your network and ours, enabling someone else to make API requests on your behalf. While the risks of such an interception are limited, it is important to protect your key.

In order to help ensure your transmission is protected, we are ending support for all use of unsecured HTTP in New Relic APM, both in our user interface and in our API. Most of our API was already restricted to HTTPS-only, and we are now moving to restrict the few remaining endpoints.

What do you need to do?

To see a list of unsecured URLs that your account has visited recently, go to https://rpm.newrelic.com/https_upgrade. For any unsecured URLs listed, you will need to update your system to request this data via HTTPS instead (by April 30, 2017).

For instance, the following URL:

http://api.newrelic.com/api/v1/accounts.xml

...would need to be converted to its HTTPS version:

https://api.newrelic.com/api/v1/accounts.xml.

If you need help tracking down where these requests are coming from, or have any questions about this transition, please visit our online technical community at https://discuss.newrelic.com/t/rest-api-to-require-https-by-april-30-2017/42672. We can provide diagnostic information that will help you track down this usage.

When do you need to make a change?

We will be permanently discontinuing all non-HTTPS access to New Relic APM on May 1, 2017. Your systems will need to be making all of their API calls via HTTPS only by 11:59 PM UTC on April 30, 2017 to avoid any interruption in your data retrieval.

We understand that it will take time and effort to make this change, and we appreciate your help keeping your data secure.

Sincerely,

New Relic

New Relic, Inc. 188 Spear Street San Francisco, CA 94105

Limey 2017-01-11 21:24:31 UTC #5

Sorry Chris,

The query I used to check this had a typo in it. The following were the cause of the second email. This is a list of the times and the URLs that were referenced:

04 Jan 06:17:01 http://rpm.newrelic.com/deployments.xml
04 Jan 05:57:54 http://rpm.newrelic.com/deployments.xml
04 Jan 05:55:55 http://rpm.newrelic.com/deployments.xml

The endpoint (URL) is the old deployment endpoint so it appears that there may be a script or program associated with your deployments that caused your account to be included in the second email. It is also possible that this could be caused by using an older agent. I would suggest seeing if you can determine who did a deployment at the times indicated and check their deploy process/scripts for "http". Given the proximity of times, it could be a single application on 3 servers.

Sorry for the confusion.

Limey 2017-01-11 21:34:01 UTC #6

FYI, Chris,

Here is a later set of deployments:

05 Jan 03:16:41 http://rpm.newrelic.com/deployments.xml
05 Jan 03:14:10 http://rpm.newrelic.com/deployments.xml
05 Jan 03:10:54 http://rpm.newrelic.com/deployments.xml
05 Jan 03:10:37 http://rpm.newrelic.com/deployments.xml

crichard 2017-01-11 23:53:36 UTC #7

ok, thanks for the info.

