HAProxy reverse proxy for Prometheus with SSL and Auth

The following configuration uses HAProxy to act as a reverse proxy for Prometheus node data collection with SSL and http auth.

The configuration can also be easily adapted to place basic auth and SSL in front of a prometheus server, or other data collection types.

Please feel free to add more complex variations below.

Firstly the HAProxy configuration:

userlist prometheus_users
        user prometheus insecure-password my_plain_text_password_here

frontend promssl
        bind :::8443 v4v6 ssl crt /etc/haproxy/ssl/my.example.fqdn.pem # Binds to IPv4 and IPv6 use "*:8443 ssl..." for IPv4 only
        acl prometheus-basic-auth-acl http_auth(prometheus_users)
        use_backend promnode-backend if prometheus-basic-auth-acl

backend promnode-backend
        redirect scheme https if !{ ssl_fc }
        server prom 127.0.0.1:9100

Notes:

  • Adjust the password and fqdn as necessary
  • If you require a TLS (SSL) certificate, a simple solution is to use 'letsencrypt' to obtain one for free (see below)
  • Adjust the bind line as necessary (e.g. to put prometheus on the default https port of 443 etc.)

(Optional - you don't need this if you use your own CA, or SSL by any other means) Obtain a TLS server certificate from letsencrypt, carrying out verification on port 80:

Place the following in /usr/local/bin/hook-certbot-newcert-haproxy and make it executable

#!/bin/sh
# GPLv2
mkdir -p /etc/haproxy/ssl
umask 0026
FQDN=`hostname -f`
SRCPATH='/etc/letsencrypt'
cat ${SRCPATH}/live/${FQDN}/fullchain.pem ${SRCPATH}/live/${FQDN}/privkey.pem > /etc/haproxy/ssl/${FQDN}.pem
chgrp haproxy /etc/haproxy/ssl/${FQDN}.pem

Use certbot to obtain the certificate (assumes no web server running on port 80, otherwise you'll need to make alternative arrangements - see the extensive certbot docs):

certbot --authenticator standalone --standalone-supported-challenges http-01 --http-01-port 80 -m my_admin_email@example.com --agree-tos -d my.example.fqdn --post-hook /usr/local/bin/hook-certbot-newcert-haproxy certonly

See accessing-a-subset-of-prometheus-endpoints-over-ssl-auth for how to access such an ssl-protected node from Prometheus.

Rate this tip

If you think this tip by TimSmallTimSmall is useful — rate it up!

rating: 0+x
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License