Securing Prometheus API and UI endpoints using basic auth

    NOTE: Although basic auth connections to Prometheus instances are not supported, basic auth is supported for connections from Prometheus instances to .

    Let’s say that you want to run a Prometheus instance behind an nginx server running on , and for all Prometheus endpoints to be available via the /prometheus endpoint. The full URL for Prometheus’ /metrics endpoint would thus be:

    Let’s also say that you want to require a username and password from all users accessing the Prometheus instance. For this example, use admin as the username and choose any password you’d like.

    1. mkdir -p /etc/nginx
    2. htpasswd -c /etc/nginx/.htpasswd admin

    NOTE: This example uses /etc/nginx as the location of the nginx configuration files, including the .htpasswd file, but this will vary based on the installation. Other include and /usr/local/etc/nginx.

    Below is an example nginx.conf configuration file (stored at /etc/nginx/.htpasswd). With this configuration, nginx will enforce basic auth for all connections to the /prometheus endpoint (which proxies to Prometheus):

    Start nginx using the configuration from above:

    1. nginx -c /etc/nginx/nginx.conf

    You can use cURL to interact with your local nginx/Prometheus setup. Try this request:

    1. curl --head http://localhost:12321/prometheus/graph

    This will return a 401 Unauthorized response because you’ve failed to supply a valid username and password. The response will also contain a WWW-Authenticate: Basic realm="Prometheus" header supplied by nginx, indicating that the basic auth realm, specified by the auth_basic parameter for nginx, is enforced.

    To successfully access Prometheus endpoints using basic auth, for example the /metrics endpoint, supply the proper username using the -u flag and supply the password when prompted:

    1. # TYPE go_gc_duration_seconds summary
    2. go_gc_duration_seconds{quantile="0"} 0.0001343
    3. go_gc_duration_seconds{quantile="0.25"} 0.0002032
    4. go_gc_duration_seconds{quantile="0.5"} 0.0004485

    In this guide, you stored a username and password in a .htpasswd file, configured nginx to use the credentials in that file to authenticate users accessing Prometheus’ HTTP endpoints, started up nginx, and configured Prometheus for reverse proxying.