Add SSL to Prometheus Reverse Proxy

Video Lecture

Add SSL to Prometheus Reverse Proxy Add SSL to Prometheus Reverse Proxy Add SSL to Prometheus Reverse Proxy

Description

We will now add transport encryption to the Prometheus web user interface.

I have gone onto my domain name provider, and added an A Name record, that points to my prometheus IP address.

Example,

prometheus.seanwasere.com. IN A 157.245.67.117

Your domain and IP will be different, and note that it may take some time for the DNS record to propagate across the internet.

We will use Certbot to install a LetsEncrypt SSL certificate for free.

Ensure your domain name has propagated before running CertBot.

On my server, I will run

sudo apt install certbot

Make sure Nginx, and Prometheus have stopped before I continue.

sudo service nginx stop
sudo service prometheus stop

Now we can run CertBot.

sudo certbot certonly --standalone

I follow the prompts, and enter my domain name I want to secure, and take note of the locations of the saved certificates.

Next open the Nginx Prometheus config file we created earlier.

sudo nano /etc/nginx/sites-enabled/prometheus

And add the ssl, server_name, ssl_certificate and ssl_certificate_key properties to the existing configuration file.

Note that you will need to change YOUR-DOMAIN-NAME in the sample below to your chosen domain name that you've set up.

server {
    listen       443;   
    ssl on;
    server_name  YOUR-DOMAIN-NAME;
    ssl_certificate      /etc/letsencrypt/live/YOUR-DOMAIN-NAME/cert.pem
    ssl_certificate_key  /etc/letsencrypt/live/YOUR-DOMAIN-NAME/privkey.pem;

    location / {
        proxy_pass           http://localhost:9090/;
    }
}

Now try your new URL with https and without the port number. https://YOUR-DOMAIN-NAME

Then Block the port 9090 from external access, but leave it open for localhost.

iptables -A INPUT -p tcp -s localhost --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
iptables -L

Optional, remove the default Nginx webserver running on port 80

rm /etc/nginx/sites-enabled/default