Securing Prometheus API and UI endpoints using basic auth
NOTE: Although basic auth connections to Prometheus instances are not supported, basic auth is supported for connections from Prometheus instances to .
Let’s say that you want to run a Prometheus instance behind an nginx server running on , and for all Prometheus endpoints to be available via the /prometheus
endpoint. The full URL for Prometheus’ /metrics
endpoint would thus be:
Let’s also say that you want to require a username and password from all users accessing the Prometheus instance. For this example, use admin
as the username and choose any password you’d like.
mkdir -p /etc/nginx
htpasswd -c /etc/nginx/.htpasswd admin
NOTE: This example uses /etc/nginx
as the location of the nginx configuration files, including the .htpasswd
file, but this will vary based on the installation. Other include and /usr/local/etc/nginx
.
Below is an example nginx.conf
configuration file (stored at /etc/nginx/.htpasswd
). With this configuration, nginx will enforce basic auth for all connections to the /prometheus
endpoint (which proxies to Prometheus):
Start nginx using the configuration from above:
nginx -c /etc/nginx/nginx.conf
You can use cURL to interact with your local nginx/Prometheus setup. Try this request:
curl --head http://localhost:12321/prometheus/graph
This will return a 401 Unauthorized
response because you’ve failed to supply a valid username and password. The response will also contain a WWW-Authenticate: Basic realm="Prometheus"
header supplied by nginx, indicating that the basic auth realm, specified by the auth_basic
parameter for nginx, is enforced.
To successfully access Prometheus endpoints using basic auth, for example the /metrics
endpoint, supply the proper username using the -u
flag and supply the password when prompted:
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 0.0001343
go_gc_duration_seconds{quantile="0.25"} 0.0002032
go_gc_duration_seconds{quantile="0.5"} 0.0004485
In this guide, you stored a username and password in a .htpasswd
file, configured nginx to use the credentials in that file to authenticate users accessing Prometheus’ HTTP endpoints, started up nginx, and configured Prometheus for reverse proxying.