Add Basic Authentication to the Prometheus User Interface
Video Lecture
Description
Everything is great so far, but anybody in the world with the internet access and the URL can visit my Prometheus server and see my data.
To solve this problem, we will add user authentication.
We will use Basic Authentication.
SSH onto your server and CD into your /etc/nginx folder.
cd /etc/nginx
Then install apache2-utils (on ubuntu) or httpd-tools (on centos)
#on ubuntu
sudo apt install apache2-utils
#on centos
sudo yum install httpd-tools
Now we can create a password file. In the command below, I am creating a user called 'admin'.
htpasswd -c /etc/nginx/.htpasswd admin
I then enter a password for the user.
Next open the Nginx Prometheus config file we created.
sudo nano /etc/nginx/sites-enabled/prometheus
And add the two authentication properties in the examples below to the existing Nginx configuration file we have already created.
server {
...
#additional authentication properties
auth_basic "Protected Area";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://localhost:9090/;
}
...
}
Save and test the new configuration has no errors
nginx -t
Restart Nginx
sudo service nginx restart
sudo service nginx status
Since port 9090 and 9100 are still open, we should block them for external connections.
iptables -A INPUT -p tcp -s localhost --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
iptables -A INPUT -p tcp -s localhost --dport 9100 -j ACCEPT
iptables -A INPUT -p tcp --dport 9100 -j DROP
iptables -L
Warning
iptables settings will be lost in case of system reboot. You will need to reapply them manually,
or
install iptables-persistent
sudo apt install iptables-persistent
This will save your settings into two files called,
/etc/iptables/rules.v4
/etc/iptables/rules.v6
Any changes you make to the iptables configuration won't be auto saved to these persistent files, so if you want to update these files with any changes, then use the commands,
iptables-save > /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v6
Not using Domain name or SSL
If you are not using a domain name, or SSL, but accessing your Prometheus server by IP address, then you can still setup Basic Auth for it, if you think it needs it.
Make sure you have Nginx
installed.
sudo apt install nginx
Still create the .htpasswd
file as discussed in the video.
Then create a Nginx configuration for your IP address,
cd /etc/nginx/sites-enabled
If the IP address of your server is 1.2.3.4
, then you can create it as,
sudo nano 1.2.3.4.conf
Paste into the file this below. Don't forget to use your correct IP address for server_name
.
server {
listen 80;
listen [::]:80;
server_name 1.2.3.4;
#additional authentication properties
auth_basic "Protected Area";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://localhost:9090/;
}
}
Also, you don't have to listen on port 80. You can use a different port that you think is better.
Save and test the new configuration has no errors
nginx -t
Restart Nginx
sudo service nginx restart
sudo service nginx status
And visit 1.2.3.4
(Use your correct IP in your browser)
You should get the login prompt.
Prometheus 2.31 and Ubuntu 22.04 Notes
There are no considerable differences to be aware of as shown and discussed in the video in case you decide to install Prometheus 2.31.2 on Ubuntu 22.04 LTS.
Also, rather than using IPTables to manage firewall rules, you may find it easier to use the firewall options provided by your cloud provider instead.
When installing software on Ubuntu 22.04, you may see the warning "Pending kernel upgrade". Press Enter to select OK, then press TAB on the next screen then Enter to OK again. This will restart some services.