Security
/metricsendpoint is now opt-in — in earlier versions, if you hadn't setMETRICS_TOKEN, the Prometheus/metricsendpoint was publicly reachable and exposed fleet inventory (device names, hosts, RouterOS versions, board models) to anyone who could reach the Manager. It is now disabled by default and returns 404 unless you explicitly opt in withMETRICS_ENABLED=true. Token auth (METRICS_TOKEN) still layered on top.- Authorization tightened on refresh & topology endpoints — Viewer-role accounts could previously trigger a full fleet refresh, a topology refresh, and overwrite saved topology layouts. These actions now require
adminoroperatorrole, matching the rest of the mutating API.
Fixed
- Webhook custom message templates no longer silently dropped on save — on the Webhooks page, the per-event custom message fields (
{{device.name}},{{error}}, etc.) were being accepted by the form but ignored by the backend, so they reset to blank after save. They now persist correctly on both create and update.
Upgrading from 1.16.2
If you were scraping /metrics with Prometheus, the endpoint now requires explicit opt-in. Add to your docker-compose.yml environment: (or .env):
- METRICS_ENABLED=true
- METRICS_TOKEN=<your-token> # optional but recommendedGenerate a token with openssl rand -hex 32. Without METRICS_ENABLED=true the endpoint returns 404 and Prometheus will mark the target as down.