In this sandbox, nginx acts as a reverse proxy for Prometheus, enforcing both TLS encryption and basic auth. All Prometheus endpoints are available behind https://example.com/prometheus. The expression browser, for example, is available at https://example.com/prometheus/graph.
To access Prometheus in this sandbox, the proper username/password combo is
admin
/password
.
To start the sandbox:
# In the foreground
make run # docker-compose up --build
# In detached mode
make run-detached # docker-compose up --build --detach
This will start up an nginx
container and a prometheus
container.
To kill the sandbox, run
make kill
(alias fordocker-compose kill
).
The nginx
container is available on localhost
port 443 but the example will only work if you map localhost
to example.com
. You can do so by modifying your /etc/hosts
file to include a line like this:
127.0.0.1 localhost example.com
As nginx enforces both TLS encryption and basic auth, this will result in a self-signed certificate error:
curl https://example.com/prometheus/metrics
If you disable cert checking using --insecure
/-k
you'll get a 401 Unauthorized
error:
curl -ik https://example.com/prometheus/metrics
You'll need to supply the username and password to access Prometheus through the proxy:
curl -ik -u admin:password https://example.com/prometheus/metrics
Open up https://admin:password@example.com/prometheus/graph
to access the Prometheus expression browser.
Folder | Assets |
---|---|
certs |
An SSL cert and key generated by OpenSSL |
haproxy |
An haproxy.cfg configuration file and .htpasswd password file |
prometheus |
A prometheus.yml configuration file for Prometheus |
The nginx certs were created using this command:
openssl req -newkey rsa:4096 -nodes -keyout certs/example.com.key -x509 -out certs/example.com.crt \
-subj "/C=US/ST=OR/L=Portland/O=CNCF/OU=Developer advocacy/CN=example.com"