Different URL for api push #2756

New issue

Closed

opened 2026-02-28 03:06:01 -05:00 by deekerman · 5 comments

deekerman commented 2026-02-28 03:06:01 -05:00

Owner

Copy link

Originally created by @notscottsmith on GitHub (Nov 7, 2023).

⚠️ Please verify that this bug has NOT been raised before.

• I checked and didn't find similar issue

🛡️ Security Policy

• I agree to have read this project Security Policy

📝 Describe your problem

Hi,

As part of how we do security at my workplace, we use differing URLs to obfuscate services which need access without any kind of authentication in front of it (e.g. Cloudflare). Is there a way to configure Kuma to recognise a different URL for API calls being done as part of a push test for a monitor?

e.g. kuma.company.com for the status page but api.company.com/api for the API calls?

📝 Error Message(s) or Log

No response

🐻 Uptime-Kuma Version

1.23.3

💻 Operating System and Arch

Kubernetes

🌐 Browser

Firefox

🐋 Docker Version

No response

🟩 NodeJS Version

16.20.2

Originally created by @notscottsmith on GitHub (Nov 7, 2023). ### ⚠️ Please verify that this bug has NOT been raised before. - [X] I checked and didn't find similar issue ### 🛡️ Security Policy - [X] I agree to have read this project [Security Policy](https://github.com/louislam/uptime-kuma/security/policy) ### 📝 Describe your problem Hi, As part of how we do security at my workplace, we use differing URLs to obfuscate services which need access without any kind of authentication in front of it (e.g. Cloudflare). Is there a way to configure Kuma to recognise a different URL for API calls being done as part of a push test for a monitor? e.g. kuma.company.com for the status page but api.company.com/api for the API calls? ### 📝 Error Message(s) or Log _No response_ ### 🐻 Uptime-Kuma Version 1.23.3 ### 💻 Operating System and Arch Kubernetes ### 🌐 Browser Firefox ### 🐋 Docker Version _No response_ ### 🟩 NodeJS Version 16.20.2

deekerman 2026-02-28 03:06:01 -05:00

• closed this issue
• added the
  Stale
  question
  A:monitor
  help
  labels

deekerman commented 2026-02-28 03:06:07 -05:00

Author

Owner

Copy link

@chakflying commented on GitHub (Nov 7, 2023):

The Status Pages do not need the websocket or the API to function. Have you tried setting a custom domain for your status page?

@chakflying commented on GitHub (Nov 7, 2023): The Status Pages do not need the websocket or the API to function. Have you tried setting a custom domain for your status page?

deekerman commented 2026-02-28 03:06:07 -05:00

Author

Owner

Copy link

@sevmonster commented on GitHub (Dec 16, 2023):

I think what @notscottsmith is talking about is similar to what I talked about here. For example, I use a special, internal-only URL for some of my HTTP monitors that only Uptime Kuma can access, that bypasses proxy authentication and sends directly to the underlying webapp. These endpoints may also potentially shim the proxy request headers so that the application returns correct data. It would be a major security threat should a URL like this be made public, if proper mitigations are not in place/not working to make sure that external/unauthed users cannot access the service via that URL. And currently, Uptime Kuma always shows the URL for HTTPS monitors with no option to disable it.

If I'm wrong and not understanding the OP, I can open a new issue.

@sevmonster commented on GitHub (Dec 16, 2023): I think what @notscottsmith is talking about is similar to what I talked about [here](https://github.com/louislam/uptime-kuma/issues/4179#issuecomment-1843825134). For example, I use a special, internal-only URL for some of my HTTP monitors that only Uptime Kuma can access, that bypasses proxy authentication and sends directly to the underlying webapp. These endpoints may also potentially shim the proxy request headers so that the application returns correct data. It would be a major security threat should a URL like this be made public, if proper mitigations are not in place/not working to make sure that external/unauthed users cannot access the service via that URL. And currently, Uptime Kuma always shows the URL for HTTPS monitors with no option to disable it. If I'm wrong and not understanding the OP, I can open a new issue.

deekerman commented 2026-02-28 03:06:07 -05:00

Author

Owner

Copy link

@CommanderStorm commented on GitHub (Dec 16, 2023):

@sevmonster this issue is specific to the push monitor.

I think you have not found this button on the status page:

@CommanderStorm commented on GitHub (Dec 16, 2023): @sevmonster this issue is specific to the push monitor. I think you have not found this button on the status page:  

deekerman commented 2026-02-28 03:06:07 -05:00

Author

Owner

Copy link

@sevmonster commented on GitHub (Dec 16, 2023):

Thanks for reminding me about that, I forgot it existed since I never use it because of the reasons I specified. But it affects HTTP monitors too, not just push. Or really anything with a URL set in the database, as seen in #4019.

As far as I can tell the general issue is that the monitor URL (which may be internal) is used in a number of places, including status pages, Discord alerts, and as the action for Ntfy notifications. Maybe more. This can expose an internal-only URL to external users.

#1793 is also relevant.

@sevmonster commented on GitHub (Dec 16, 2023): Thanks for reminding me about that, I forgot it existed since I never use it because of the reasons I specified. But it affects HTTP monitors too, not just push. Or really anything with a URL set in the database, as seen in #4019. As far as I can tell the general issue is that the monitor URL (which may be internal) is used in a number of places, including status pages, Discord alerts, and as the `action` for Ntfy notifications. Maybe more. This can expose an internal-only URL to external users. #1793 is also relevant.

deekerman commented 2026-02-28 03:06:07 -05:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 18, 2024):

We are clearing up our old help-issues and your issue has been open for 60 days with no activity.
If no comment is made and the stale label is not removed, this issue will be closed in 7 days.

@github-actions[bot] commented on GitHub (Mar 18, 2024): We are clearing up our old `help`-issues and your issue has been open for 60 days with no activity. If no comment is made and the stale label is not removed, this issue will be closed in 7 days.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

npm-update

3.0.X

dev-better-auth

copilot/remove-password-complexity-requirements

2.2.X

copilot/sub-pr-6355

1.23.X

api-via-socketio-client

2.1.3

2.1.2

2.1.1

2.1.0

2.1.0-beta.3

2.1.0-beta.2

2.1.0-beta.1

2.1.0-beta.0

2.0.2

2.0.1

1.23.17

2.0.0

2.0.0-beta.4

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.2-temp

2.0.0-beta.1

1.23.16

2.0.0-beta.0

1.23.15

1.23.14

1.23.13

1.23.12

1.23.11

1.23.10

1.23.9

1.23.8

1.23.7

1.23.6

1.23.5

1.23.5-beta.0

1.23.4

1.23.3

1.23.2

1.23.1

1.23.0

1.23.0-beta.1

1.23.0-beta.0

1.22.1

1.22.0

1.22.0-beta.0

1.21.3

1.21.2

1.21.2-beta.0

1.21.1

1.21.0

1.21.0-beta.1

1.21.0-beta.0

1.20.2

1.20.1

1.20.0

1.20.0-beta.0

1.19.6

1.19.5

1.19.4

1.19.3

1.19.2

1.19.1

1.19.0

1.19.0-beta.2

1.19.0-beta.1

1.19.0-beta.0

1.18.5

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-beta.0

1.17.1

1.17.0

1.17.0-beta.1

1.17.0-beta.0

1.16.1

1.16.0

1.16.0-beta.0

1.15.1

1.15.0

1.15.0-beta.1

1.14.1

1.15.0-beta.0

1.14.0

1.14.0-beta.2

1.13.2

1.14.0-beta.1

1.14.0-beta.0

1.13.1

1.13.0

1.13.0-beta.2

1.13.0-beta.1

1.13.0-beta.0

1.12.1

1.12.0

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.10.2

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

A:accessibility

  

A:api

  

A:cert-expiry

  

A:core

  

A:dashboard

  

A:deployment

  

A:documentation

  

A:domain expiry

  

A:incidents

  

A:maintenance

  

A:metrics

  

A:monitor

  

A:notifications

  

A:reports

  

A:settings

  

A:status-page

  

A:ui/ux

  

A:user-management

  

Stale

  

ai-slop

  

blocked

  

blocked-upstream

  

bug

  

cannot-reproduce

  

dependencies

  

discussion

  

duplicate

  

feature-request

  

feature-request

  

good first issue

  

hacktoberfest

  

help

  

help wanted

  

house keeping

  

invalid

  

invalid-format

  

invalid-format

  

question

  

releaseblocker 🚨

  

security

  

spam

  

type:enhance-existing

  

type:new

  

wontfix

No labels

A:accessibility

A:api

A:cert-expiry

A:core

A:dashboard

A:deployment

A:documentation

A:domain expiry

A:incidents

A:maintenance

A:metrics

A:monitor

A:notifications

A:reports

A:settings

A:status-page

A:ui/ux

A:user-management

Stale

ai-slop

blocked

blocked-upstream

bug

cannot-reproduce

dependencies

discussion

duplicate

feature-request

feature-request

good first issue

hacktoberfest

help

help wanted

house keeping

invalid

invalid-format

invalid-format

question

releaseblocker 🚨

security

spam

type:enhance-existing

type:new

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/uptime-kuma#2756

No description provided.