Skip to main content

Adding Basic Auth to Prometheus with Nginx

Prometheus doesn't provide authentication support in order to focus energy on making an awesome monitoring tool. Instead users can take advantage of a more purpose designed tool such as Nginx to do so. This post will look at how you can do that.
To start you should install Nginx.
Next let's get a basic Ngingx setup working. Here's an Nginx configuration that simply acts as a reverse proxy from Prometheus on port 9090 to port 19090:
http {
  server {
    listen 0.0.0.0:19090;
    location / {
      proxy_pass http://localhost:9090/;
    }
  }
}
events {
}
If you start Nginx and visit http://localhost:19090 you'll see the Prometheus status page.
Now that Nginx is working we can add basic authentication. In order to authenticate users we need a list of usernames and passwords. We'll use the htpasswd utility for this. This is in the apache2-utils packages on Debian based systems such as Ubuntu. We'll add a user called "myuser":
$ htpasswd -c .htpasswd myuser
New password: 
Re-type new password: 
Adding password for user myuser
Then configure basic auth in the Nginx configuration file:
http {
  server {
    listen 0.0.0.0:19090;
    location / { 
      proxy_pass http://localhost:9090/;

      auth_basic "Prometheus";
      auth_basic_user_file ".htpasswd";
    }
  }
}
events {
}
If you restart Nginx and once again visit http://localhost:19090 you'll now be asked for your username and password.
Don't forget to lock down file permissions on the .htpasswd file, and keep it outside of any paths that are served over HTTP. The same approach can be used with other components of Prometheus, such as the Alertmanager and Node Exporter.

Labels:

Comments

Post a Comment

https://gengwg.blogspot.com/

Popular posts from this blog

CKA Simulator Kubernetes 1.22

  https://killer.sh Pre Setup Once you've gained access to your terminal it might be wise to spend ~1 minute to setup your environment. You could set these: alias k = kubectl                         # will already be pre-configured export do = "--dry-run=client -o yaml"     # k get pod x $do export now = "--force --grace-period 0"   # k delete pod x $now Vim To make vim use 2 spaces for a tab edit ~/.vimrc to contain: set tabstop=2 set expandtab set shiftwidth=2 More setup suggestions are in the tips section .     Question 1 | Contexts Task weight: 1%   You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl . Finally write a second command doing the same thing into ...
Post a Comment
Read more

OWASP Top 10 Threats and Mitigations Exam - Single Select

Last updated 4 Aug 11 Course Title: OWASP Top 10 Threats and Mitigation Exam Questions - Single Select 1) Which of the following consequences is most likely to occur due to an injection attack? Spoofing Cross-site request forgery Denial of service   Correct Insecure direct object references 2) Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? Injection   Correct Insecure direct object references Failure to restrict URL access Insufficient transport layer protection 3) Which of the following scenarios is most likely to cause an injection attack? Unvalidated input is embedded in an instruction stream.   Correct Unvalidated input can be distinguished from valid instructions. A Web application does not validate a client’s access to a resource. A Web action performs an operation on behalf of the user without checkin...
2 comments
Read more