🚀 DevOps & SRE Certification Program 📅 Starting: 1st of Every Month 🤝 +91 8409492687 🔍 Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Prometheus Security and Authentication explained

[This tutorial is under developement]

Prometheus does not directly support basic authentication (aka “basic auth”) for connections to the Prometheus expression browser and HTTP API.

If you’d like to enforce basic auth for those connections, we recommend using Prometheus in conjunction with

  • A reverse proxy and applying authentication at the proxy layer using nginx
  • A reverse proxy and applying authentication at the proxy layer using nginx and one way TLS
  • A reverse proxy and applying authentication at the proxy layer using nginx and Mutual TLS

A reverse proxy and applying authentication at the proxy layer using nginx

#!/bin/bash
HOST="localhost"
PORT="9090"
# run script as root or with sudo
# install nginx and openssl
apt -y install nginx openssl apache2-utils
# generate ssl certificate (host prometheus.example.com)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=prometheus.example.com' -nodes
mv key.pem /etc/ssl/private/nginx.pem
chmod 600 /etc/ssl/private/nginx.pem
mv cert.pem /etc/ssl/certs/nginx.pem
echo 'server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/nginx.pem;
ssl_certificate_key /etc/ssl/private/nginx.pem;
location / {
proxy_pass http://'${HOST}':'${PORT}'/;
auth_basic "Prometheus";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}' > /etc/nginx/sites-enabled/prometheus
systemctl enable nginx
systemctl restart nginx
EXTERNAL_IP=$(curl -s ifconfig.co)
echo "Reverse proxy enabled on https://${EXTERNAL_IP}"

A reverse proxy and applying authentication at the proxy layer using nginx and one way TLS

#!/bin/bash
set -ex
TARGET_IP="138.68.135.9"
echo '
# From http://apetec.com/support/GenerateSAN-CSR.htm
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth,serverAuth
subjectAltName = @alt_names
[alt_names]' > openssl-${TARGET_IP}.cnf
echo -en "IP.1 = ${TARGET_IP}\n" >> openssl-${TARGET_IP}.cnf
# create CA
openssl genrsa -out ca.key 4096 -nodes
chmod 400 ca.key
openssl req -new -x509 -sha256 -days 3650 -key ca.key -out ca.crt -subj "/CN=prometheus-ca.example.com"
chmod 644 ca.crt
# Create target key
openssl genrsa -out target.key 2048
chmod 400 target.key
openssl req -new -key target.key -sha256 -out target.csr -config openssl-${TARGET_IP}.cnf -subj "/CN=prometheus-target.example.com"
openssl x509 -req -days 365 -sha256 -in target.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out target.crt -extensions v3_req -extfile openssl-${TARGET_IP}.cnf
chmod 444 target.crt
# Create client key for prometheus server
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=prometheus.example.com"
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.crt
mv ca.crt /etc/ssl/certs/prometheus-ca.crt
mv ca.key /etc/ssl/private/prometheus-ca.key
mv client.key /etc/prometheus/prometheus.key
chown prometheus:prometheus /etc/prometheus/prometheus.key
mv client.crt /etc/ssl/certs/prometheus.crt
echo 'Add the following lines to /etc/prometheus/prometheus.yml:'
echo " - job_name: 'node_exporter_ssl'
scrape_interval: 5s
scheme: https
tls_config:
ca_file: /etc/ssl/certs/prometheus-ca.crt
cert_file: /etc/ssl/certs/prometheus.crt
key_file: /etc/prometheus/prometheus.key
static_configs:
- targets: ['${TARGET_IP}:443']"

A reverse proxy and applying authentication at the proxy layer using nginx and Mutual TLS

#!/bin/bash
set -e
mv target.crt /etc/ssl/certs/target.crt
mv target.key /etc/ssl/private/target.key
mv prometheus-ca.crt /etc/ssl/certs/prometheus-ca.crt
HOST="localhost"
PORT="9100"
# run script as root or with sudo
# install nginx and openssl
apt -y install nginx openssl
echo 'server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/target.crt;
ssl_certificate_key /etc/ssl/private/target.key;
ssl_client_certificate /etc/ssl/certs/prometheus-ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://'${HOST}':'${PORT}'/;
}
}' > /etc/nginx/sites-enabled/node-exporter
systemctl enable nginx
systemctl restart nginx
EXTERNAL_IP=$(curl -s ifconfig.co)
echo "Reverse proxy with mutual tls enabled on https://${EXTERNAL_IP}"

Reference
– https://prometheus.io/docs/guides/basic-auth/
– https://prometheus.io/docs/operating/security/
– https://prometheus.io/docs/operating/security/#authentication-authorization-and-encryption

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.