Prometheus doesn't provide authentication support in order to focus energy on making an awesome monitoring tool. Instead users can take advantage of a more purpose designed tool such as Nginx to do so. This post will look at how you can do that.
To start you should install Nginx.
Next let's get a basic Ngingx setup working. Here's an Nginx configuration that simply acts as a reverse proxy from Prometheus on port 9090 to port 19090:
http { server { listen 0.0.0.0:19090; location / { proxy_pass :9090/; } } } events { }
If you start Nginx and visit :19090 you'll see the Prometheus status page.
Now that Nginx is working we can add basic authentication. In order to authenticate users we need a list of usernames and passwords. We'll use the htpasswd
utility for this. This is in the apache2-utils
packages on Debian based systems such as Ubuntu. We'll add a user called "myuser":
$ htpasswd -c .htpasswd myuser New password: Re-type new password: Adding password for user myuser
Then configure basic auth in the Nginx configuration file:
http { server { listen 0.0.0.0:19090; location / { proxy_pass :9090/; auth_basic "Prometheus"; auth_basic_user_file ".htpasswd"; } } } events { }
If you restart Nginx and once again visit :19090 you'll now be asked for your username and password.
Don't forget to lock down file permissions on the .htpasswd
file, and keep it outside of any paths that are served over HTTP. The same approach can be used with other components of Prometheus, such as the Alertmanager and Node Exporter.
No comments.