How do you secure your :9100/metrics path?

[Can Uslu]

Hi,

I'm using Prometheus, node_exporter and Grafana setup for 1-2 weeks. At first, I used my test machines to learn. Now, I've connected production servers, too.
Since there is no auth. mechanism for node_exporter page (example.com:9100/metrics) with default installation, that situation bugs me.
If you use the dork (inurl:":9100/metrics") and make a google search, you'll see that there are publicly available metrics pages.

So, I'm wondering that what are your strategies to secure the metrics path?

[Ben Kochie]

Most use of Prometheus is behind private networks, so security isn't usually a concern.  The exporter endpoints are simple read-only targets, so there's not much to exploit.  Also, most metrics are uninteresting from a security perspective, but there are exceptions.

Typically we recommend simple firewall rules to block public internet access, but I've also seen simple reverse proxy (nginx for example) to add TLS and some kind of auth.  The Prometheus server can support SSL/x509 certs and basic auth, but I don't recommend basic auth due to the obvious clear text nature of how it works.

Adding some security (TLS + client cert auth is my obvious answer) to our standards is something we would like to do, but given the amount of people working on Prometheus, we don't have the resources to support it right now.

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscribe@googlegroups.com.
To post to this group, send email to prometheus-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/e7cf1443-72bd-4471-b6bc-6d6c8964b83c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.