[This tutorial is under developement]

Prometheus does not directly support basic authentication (aka “basic auth”) for connections to the Prometheus expression browser and HTTP API.

If you’d like to enforce basic auth for those connections, we recommend using Prometheus in conjunction with

• A reverse proxy and applying authentication at the proxy layer using nginx
• A reverse proxy and applying authentication at the proxy layer using nginx and one way TLS
• A reverse proxy and applying authentication at the proxy layer using nginx and Mutual TLS

A reverse proxy and applying authentication at the proxy layer using nginx

	#!/bin/bash
	HOST="localhost"
	PORT="9090"
	# run script as root or with sudo
	# install nginx and openssl
	apt -y install nginx openssl apache2-utils
	# generate ssl certificate (host prometheus.example.com)
	openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=prometheus.example.com' -nodes
	mv key.pem /etc/ssl/private/nginx.pem
	chmod 600 /etc/ssl/private/nginx.pem
	mv cert.pem /etc/ssl/certs/nginx.pem
	echo 'server {
	listen 443;
	ssl on;
	ssl_certificate /etc/ssl/certs/nginx.pem;
	ssl_certificate_key /etc/ssl/private/nginx.pem;
	location / {
	proxy_pass http://'${HOST}':'${PORT}'/;
	auth_basic "Prometheus";
	auth_basic_user_file /etc/nginx/.htpasswd;
	}
	}' > /etc/nginx/sites-enabled/prometheus
	systemctl enable nginx
	systemctl restart nginx
	EXTERNAL_IP=$(curl -s ifconfig.co)
	echo "Reverse proxy enabled on https://${EXTERNAL_IP}"

view raw reverse-proxy.sh hosted with by GitHub

A reverse proxy and applying authentication at the proxy layer using nginx and one way TLS

	#!/bin/bash
	set -ex
	TARGET_IP="138.68.135.9"
	echo '
	# From http://apetec.com/support/GenerateSAN-CSR.htm
	[req]
	distinguished_name = req_distinguished_name
	req_extensions = v3_req
	[req_distinguished_name]
	countryName = Country Name (2 letter code)
	countryName_default = US
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = MN
	localityName = Locality Name (eg, city)
	localityName_default = Minneapolis
	organizationalUnitName = Organizational Unit Name (eg, section)
	organizationalUnitName_default = Domain Control Validated
	commonName = Internet Widgits Ltd
	commonName_max = 64
	[ v3_req ]
	# Extensions to add to a certificate request
	basicConstraints = CA:FALSE
	extendedKeyUsage = clientAuth,serverAuth
	subjectAltName = @alt_names
	[alt_names]' > openssl-${TARGET_IP}.cnf
	echo -en "IP.1 = ${TARGET_IP}\n" >> openssl-${TARGET_IP}.cnf
	# create CA
	openssl genrsa -out ca.key 4096 -nodes
	chmod 400 ca.key
	openssl req -new -x509 -sha256 -days 3650 -key ca.key -out ca.crt -subj "/CN=prometheus-ca.example.com"
	chmod 644 ca.crt
	# Create target key
	openssl genrsa -out target.key 2048
	chmod 400 target.key
	openssl req -new -key target.key -sha256 -out target.csr -config openssl-${TARGET_IP}.cnf -subj "/CN=prometheus-target.example.com"
	openssl x509 -req -days 365 -sha256 -in target.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out target.crt -extensions v3_req -extfile openssl-${TARGET_IP}.cnf
	chmod 444 target.crt
	# Create client key for prometheus server
	openssl genrsa -out client.key 2048
	openssl req -new -key client.key -out client.csr -subj "/CN=prometheus.example.com"
	openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out client.crt
	mv ca.crt /etc/ssl/certs/prometheus-ca.crt
	mv ca.key /etc/ssl/private/prometheus-ca.key
	mv client.key /etc/prometheus/prometheus.key
	chown prometheus:prometheus /etc/prometheus/prometheus.key
	mv client.crt /etc/ssl/certs/prometheus.crt
	echo 'Add the following lines to /etc/prometheus/prometheus.yml:'
	echo " - job_name: 'node_exporter_ssl'
	scrape_interval: 5s
	scheme: https
	tls_config:
	ca_file: /etc/ssl/certs/prometheus-ca.crt
	cert_file: /etc/ssl/certs/prometheus.crt
	key_file: /etc/prometheus/prometheus.key
	static_configs:
	- targets: ['${TARGET_IP}:443']"

view raw mutual-tls.sh hosted with by GitHub

A reverse proxy and applying authentication at the proxy layer using nginx and Mutual TLS

	#!/bin/bash
	set -e
	mv target.crt /etc/ssl/certs/target.crt
	mv target.key /etc/ssl/private/target.key
	mv prometheus-ca.crt /etc/ssl/certs/prometheus-ca.crt
	HOST="localhost"
	PORT="9100"
	# run script as root or with sudo
	# install nginx and openssl
	apt -y install nginx openssl
	echo 'server {
	listen 443;
	ssl on;
	ssl_certificate /etc/ssl/certs/target.crt;
	ssl_certificate_key /etc/ssl/private/target.key;
	ssl_client_certificate /etc/ssl/certs/prometheus-ca.crt;
	ssl_verify_client on;
	location / {
	proxy_pass http://'${HOST}':'${PORT}'/;
	}
	}' > /etc/nginx/sites-enabled/node-exporter
	systemctl enable nginx
	systemctl restart nginx
	EXTERNAL_IP=$(curl -s ifconfig.co)
	echo "Reverse proxy with mutual tls enabled on https://${EXTERNAL_IP}"

view raw reverse-proxy-mutual-tls.sh hosted with by GitHub

Reference
– https://prometheus.io/docs/guides/basic-auth/
– https://prometheus.io/docs/operating/security/
– https://prometheus.io/docs/operating/security/#authentication-authorization-and-encryption

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand. 

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND