原文:Adding Basic Auth to Prometheus with Nginx | Robust Perception
Adding Basic Auth to Prometheus with Nginx
为普罗米修斯添加Nginx基本认证(Basic Auth)
Brian Brazil August 11, 2015
Prometheus doesn’t provide authentication support in order to focus energy on making an awesome monitoring tool. Instead users can take advantage of a more purpose designed tool such as Nginx to do so. This post will look at how you can do that.
为了集中精力完善普罗米修斯这一监控工具,普罗米修斯并不提供认证功能。相反,用户可以利用针对性的工具,比如Nginx。这篇文章说明如何做到这一点.
To start you should install Nginx.
首先你需要安装Nginx
Next let’s get a basic Ngingx setup working. Here’s an Nginx configuration that simply acts as a reverse proxy from Prometheus on port 9090 to port 19090:
接下来让我们开始一个Nginx基本的配置工作。下面是普罗米修斯从9090端口到端口19090的反向代理的Nginx配置工作。
http {
server {
listen 0.0.0.0:19090;
location / {
proxy_pass http://localhost:9090/;
}
}
}
events {
}
If you start Nginx and visit http://localhost:19090 you’ll see the Prometheus status page.
启动Nginx并访问http://localhost:19090,就可以看到Prometheus的状态页面。
Now that Nginx is working we can add basic authentication. In order to authenticate users we need a list of usernames and passwords. We’ll use the htpasswd utility for this. This is in the apache2-utils packages on Debian based systems such as Ubuntu. We’ll add a user called “myuser”:
现在为Nginx添加基本认证工作。为了对用户进行身份验证,我们需要一个用户名和密码列表。我们使用htpasswd工具来实现。在基于Debian的系统上,比如Ubuntu,这个工具是的apache-utils工具包中。我们添加一个叫“myuser”的用户:
$ htpasswd -c .htpasswd myuser
New password:
Re-type new password:
Adding password for user myuser
Then configure basic auth in the Nginx configuration file:
接着再Nginx配置文件中配置基本认证
http {
server {
listen 0.0.0.0:19090;
location / {
proxy_pass http://localhost:9090/;
auth_basic "Prometheus";
auth_basic_user_file ".htpasswd";
}
}
}
events {
}
If you restart Nginx and once again visit http://localhost:19090 you’ll now be asked for your username and password.
重启Nginx,再次访问http://localhost:19090就需要输入用户名和密码。
Don’t forget to lock down file permissions on the .htpasswd file, and keep it outside of any paths that are served over HTTP. The same approach can be used with other components of Prometheus, such as the Alertmanager and Node Exporter.
别忘了锁定.htpasswd的文件权限,避免放任何在HTTP的访问路径之外。同样的方法也可以用于普罗米修斯的其他组件,Alertmanager和Node Exporter