prometheus學習系列十一： Prometheus 安全

prometheus安全

我們這里說的安全主要是基本認證和https2種， 目前這2種安全在prometheus中都沒有的， 需要借助第三方軟件實現， 這里以nginx為例。

基本認證

配置基本認證

在前面的部署中，我們部署完畢prometheus server 后， 可以通過對應的http://192.168.100.10:9090就可以訪問到我們的 表達式瀏覽器， 進行promql的查詢了。 這是很不安全， 必要情況下，我們需要加入基本認證， 只有認證過的用戶才能訪問頁面，進行數據的查詢。

[root@node00 ~]# yum install httpd-tools  nginx
[root@node00 ~]# cd  /etc/nginx
[root@node00 nginx]# htpasswd -c /etc/nginx/.htpasswd admin

[root@node00 conf.d]# cat prometheus.linuxpanda.tech.conf 
    server {
        listen 80;
        server_name prometheus.linuxpanda.tech ;

        location / {
            auth_basic           "Prometheus";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass           http://localhost:9090/;
        }
    }
[root@node00 conf.d]# pwd
/etc/nginx/conf.d
[root@node00 conf.d]# cat prometheus.linuxpanda.tech.conf 
    server {
        listen 80;
        server_name prometheus.linuxpanda.tech ;

        location / {
            auth_basic           "Prometheus";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass           http://localhost:9090/;
        }
    }

[root@node00 conf.d]# systemctl restart nginx 
[root@node00 conf.d]# systemctl status nginx 

[root@node00 system]# pwd
/usr/lib/systemd/system
[root@node00 system]# cat prometheus.service 
[Unit]
Description=prometheus
After=network.target 

[Service]
User=prometheus
Group=prometheus
WorkingDirectory=/usr/local/prometheus/prometheus
ExecStart=/usr/local/prometheus/prometheus/prometheus --web.external-url=http://prometheus.linuxpanda.tech
[Install]
WantedBy=multi-user.target

[root@node00 system]# systemctl daemon-reload 
[root@node00 system]# sytemctl restart prometheus 
-bash: sytemctl: command not found
[root@node00 system]# systemctl restart prometheus 
[root@node00 system]# systemctl status prometheus 

測試

配置域名解析

由於我們使用的是prometheus.linuxpanda.tech 這個域名， 我們需要確保這個域名能正常解析到對應的ip地址上面， 這里使用host綁定方式。

# 在我宿主機的hosts文件中加入如下行
192.168.100.10   prometheus.linuxpanda.tech 

登陸

在瀏覽器輸入prometheus.linuxpanda.tech 這個域名后， 效果圖如下，

 

輸入我們前面設置的賬戶和密碼 admin/admin 登陸后，效果如下。

 

 

 

 

 

 

 

 

 

 

https

配置https是需要證書的， 正式環境中的域名是需要花錢的，我們這里使用openssl這個軟件來生成一個自簽證書測試使用。

https配置

[root@node00 nginx]# cd /etc/nginx/
[root@node00 nginx]# mkdir ssl
[root@node00 nginx]# cd ssl/
[root@node00 ssl]# openssl req  -x509 -newkey rsa:4096  -nodes  -keyout prometheus.linuxpanda.tech.key -out prometheus.linuxpanda.tech.crt 
Generating a 4096 bit RSA private key
.............................................................++
...................................................................................................................................................++
writing new private key to 'prometheus.linuxpanda.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Bei          
Locality Name (eg, city) [Default City]:^C
[root@node00 ssl]# openssl req  -x509 -newkey rsa:4096  -nodes  -keyout prometheus.linuxpanda.tech.key -out prometheus.linuxpanda.tech.crt 
Generating a 4096 bit RSA private key
..............................................................................................................................................................++
...............................................................++
writing new private key to 'prometheus.linuxpanda.tech.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:prometheus.linuxpanda.tech
Email Address []:


[root@node00 conf.d]# pwd
/etc/nginx/conf.d
[root@node00 conf.d]# cat prometheus.linuxpanda.tech.conf 
    server {
        listen 80;
        listen 443 ssl;
        server_name prometheus.linuxpanda.tech ;
        ssl_certificate     ssl/prometheus.linuxpanda.tech.crt;
        ssl_certificate_key ssl/prometheus.linuxpanda.tech.key;
        location / {
            auth_basic           "Prometheus";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass           http://localhost:9090/;
        }
    }

[root@node00 conf.d]# systemctl restart nginx 
[root@node00 conf.d]# systemctl status nginx 

測試

在瀏覽器輸入https://prometheus.linuxpanda.tech 這個域名后，也是會提示不安全的， 那是因為我們使用的是openssl自簽證書，忽略證書信息，繼續訪問，可以訪問到如下頁面。