Authentication to prometheus
46 views
Skip to first unread message
Miguel Saavedra
Oct 27, 2020, 5:24:37 PM10/27/20
to Prometheus Users
I have a domain https://xxxxx.yyyy.com on which I have installed Prometheus and set a basic authentication (using apache2).
This is the code:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://xxx.yyyyy.com:9090/
ProxyPassReverse / http://xxx.yyyyy.com:9090/
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Redirect / http://xxx.yyyyy.com:9090
</Location>
</VirtualHost>
When the authentication is successful, I make a redirect to https://xxxxx.yyyy.com:9090 since I can enter Prometheus there. However, if I try to access https://xxxxx.yyyy.com:9090 directly, I can access it by skipping the authentication.
My question is, how can I block, redirect, or request authentication at that URL through port 9090 to prevent access without authentication?
Brian Candler
Oct 27, 2020, 5:49:55 PM10/27/20
to Prometheus Users
Firstly, remove the Redirect. You are supposed to be proxying (i.e. the HTTP requests go user --> apache --> prometheus). A redirect tells the browser to connect directly, i.e. it will then attempt to connect user --> prometheus
If prometheus is running on the same server as apache, then the simplest way to prevent direct access is to bind it to localhost, by running prometheus with the appropriate flag:
--web.listen-address="127.0.0.1:9090" --web.external-url=http://xxxx.yyyyy.com
and changing your proxy config:
<VirtualHost *:80> ProxyPreserveHost On
ProxyPass / http://127.0.0.1:9090/
ProxyPassReverse / http://127.0.0.1:9090/
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
</VirtualHost>
If apache and prometheus are on separate hosts, then use iptables on the prometheus host to accept connections on port 9090 from the apache server's IP address, but not from anywhere else.
Message has been deleted
Message has been deleted
Message has been deleted
Brian Candler
Oct 28, 2020, 3:22:44 AM10/28/20
to Miguel Saavedra, Prometheus Users
On 27/10/2020 23:30, Miguel Saavedra wrote:
> Prometheus is running in a Docker container. This being the case, how
> do the commands/configurations you share with me change? Does the
> Prometheus command to be run inside the host change?
You can still bind prometheus to localhost (127.0.0.1) inside a container.
However with containers there is a simpler approach: simply don't expose
port 9090 on the container to the outside world, only port 80. Then
users will only be able to connect to apache.
If prometheus and apache are in the same container, or in different
containers but in the same k8s pod, then they will be able to talk to
each other on 127.0.0.1 (without having to expose the port to the
outside world)
If you are doing something else with docker containers (docker swarm?
docker compose?) then you can work out for yourself what needs to be done.
> Prometheus is running in a Docker container. This being the case, how
> do the commands/configurations you share with me change? Does the
> Prometheus command to be run inside the host change?
You can still bind prometheus to localhost (127.0.0.1) inside a container.
However with containers there is a simpler approach: simply don't expose
port 9090 on the container to the outside world, only port 80. Then
users will only be able to connect to apache.
If prometheus and apache are in the same container, or in different
containers but in the same k8s pod, then they will be able to talk to
each other on 127.0.0.1 (without having to expose the port to the
outside world)
If you are doing something else with docker containers (docker swarm?
docker compose?) then you can work out for yourself what needs to be done.
Miguel Saavedra
Oct 29, 2020, 5:27:13 PM10/29/20
to Brian Candler, Prometheus Users
It worked very well!
Thanks for the help, Brian :)
MS
Reply all
Reply to author
Forward
0 new messages