Limit access to /metrics endpoint

Support
1

Hey there!

I’m currently looking into cranking the monitoring to 180, the new monitoring docs are very helpful there! (I’m just trying to achieve something similar with Zabbix instead of PCP)

One thing I noticed there is, that I don’t want to leave the /metrics endpoint open to everyone,
so have been searching for a foreman-installer parameter to limit access to that, like apache-mod-status-requires, just for foreman-telemetry-prometheus-enabled.

I think I found the, for me, missing bits, a new fragment in the puppetlabs-apache vhost config would be needed.

Manually added that so far directly on my system with

<Location /metrics>
    Require ip 127.0.0.1 ::1
</Location>

at the end of the ssl vhost config.

I don’t know if this is really already everything needed, so any help there is welcome (if wanted I can also try to send a PR for that afterwards)

Thanks and cheers, lumarel

If the Zabbix monitoring sounds something wanted for the docs, I sure can write that down as well :slightly_smiling_face:

2

Hi,

glad the doc is helpful!

There is, today, no direct way to set such a require rule for the /metrics endpoint.

We could certainly add one, but I wonder if that’s the best UX we can provide.

@ehelms @ekohl we recently talked (in a different context) about allowing users to apply “hardening” to their httpd, and here is another point for that list :slight_smile:

1 Like
3

Tbh I expected to find a require variable for this as well, because there was already one for mod-status, but sure, if there is a better way to do that stuff :slightly_smiling_face:

4

I think a --foreman-telemetry-allow-from parameter to the installer makes sense and I’d limit it to localhost by default.

1 Like