解决prometheus部署在公网IP上的安全认证问题

下载

http://nginx.org/en/download.html

安装

https://www.kuangstudy.com/course

配置反向代理和负载均衡

密码组件：
root@wangwei830:/usr/local/nginx/sbin# cd …/conf/
root@wangwei830:/usr/local/nginx/conf# htpasswd

Command ‘htpasswd’ not found, but can be installed with:

apt install apache2-utils

root@wangwei830:/usr/local/nginx/conf# apt install apache2-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
libgd3 libjbig0 libjpeg-turbo8 libjpeg8 libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail
libnginx-mod-stream libtiff5 libwebp6 libxpm4 nginx-common nginx-core
Use ‘apt autoremove’ to remove them.
The following additional packages will be installed:
libapr1 libaprutil1
The following NEW packages will be installed:
apache2-utils libapr1 libaprutil1
0 upgraded, 3 newly installed, 0 to remove and 165 not upgraded.
Need to get 260 kB of archives.
After this operation, 969 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://repo.huaweicloud.com/ubuntu focal/main amd64 libapr1 amd64 1.6.5-1ubuntu1 [91.4 kB]
Get:2 http://repo.huaweicloud.com/ubuntu focal/main amd64 libaprutil1 amd64 1.6.1-4ubuntu2 [84.7 kB]
Get:3 http://repo.huaweicloud.com/ubuntu focal-updates/main amd64 apache2-utils amd64 2.4.41-4ubuntu3.7 [84.4 kB]
Fetched 260 kB in 0s (5,392 kB/s)
Selecting previously unselected package libapr1:amd64.
(Reading database … 132513 files and directories currently installed.)
Preparing to unpack …/libapr1_1.6.5-1ubuntu1_amd64.deb …
Unpacking libapr1:amd64 (1.6.5-1ubuntu1) …
Selecting previously unselected package libaprutil1:amd64.
Preparing to unpack …/libaprutil1_1.6.1-4ubuntu2_amd64.deb …
Unpacking libaprutil1:amd64 (1.6.1-4ubuntu2) …
Selecting previously unselected package apache2-utils.
Preparing to unpack …/apache2-utils_2.4.41-4ubuntu3.7_amd64.deb …
Unpacking apache2-utils (2.4.41-4ubuntu3.7) …
Setting up libapr1:amd64 (1.6.5-1ubuntu1) …
Setting up libaprutil1:amd64 (1.6.1-4ubuntu2) …
Setting up apache2-utils (2.4.41-4ubuntu3.7) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for libc-bin (2.31-0ubuntu9.2) …
root@wangwei830:/usr/local/nginx/conf#
root@wangwei830:/usr/local/nginx/conf# ls -lrt
total 68
-rw-r–r-- 1 root root 3610 Oct 11 11:25 win-utf
-rw-r–r-- 1 root root 5231 Oct 11 11:25 mime.types.default
-rw-r–r-- 1 root root 5231 Oct 11 11:25 mime.types
-rw-r–r-- 1 root root 2223 Oct 11 11:25 koi-win
-rw-r–r-- 1 root root 2837 Oct 11 11:25 koi-utf
-rw-r–r-- 1 root root 1007 Oct 11 11:25 fastcgi_params.default
-rw-r–r-- 1 root root 1007 Oct 11 11:25 fastcgi_params
-rw-r–r-- 1 root root 1077 Oct 11 11:25 fastcgi.conf.default
-rw-r–r-- 1 root root 1077 Oct 11 11:25 fastcgi.conf
-rw-r–r-- 1 root root 664 Oct 11 11:25 uwsgi_params.default
-rw-r–r-- 1 root root 664 Oct 11 11:25 uwsgi_params
-rw-r–r-- 1 root root 636 Oct 11 11:25 scgi_params.default
-rw-r–r-- 1 root root 636 Oct 11 11:25 scgi_params
-rw-r–r-- 1 root root 2656 Oct 11 11:25 nginx.conf.default
-rw-r–r-- 1 root root 2858 Oct 11 11:31 nginx.conf
root@wangwei830:/usr/local/nginx/conf# htpasswd -c ht.passwd prometheus
New password:
Re-type new password:
Adding password for user prometheus
root@wangwei830:/usr/local/nginx/conf# ls -lrt
total 72
-rw-r–r-- 1 root root 3610 Oct 11 11:25 win-utf
-rw-r–r-- 1 root root 5231 Oct 11 11:25 mime.types.default
-rw-r–r-- 1 root root 5231 Oct 11 11:25 mime.types
-rw-r–r-- 1 root root 2223 Oct 11 11:25 koi-win
-rw-r–r-- 1 root root 2837 Oct 11 11:25 koi-utf
-rw-r–r-- 1 root root 1007 Oct 11 11:25 fastcgi_params.default
-rw-r–r-- 1 root root 1007 Oct 11 11:25 fastcgi_params
-rw-r–r-- 1 root root 1077 Oct 11 11:25 fastcgi.conf.default
-rw-r–r-- 1 root root 1077 Oct 11 11:25 fastcgi.conf
-rw-r–r-- 1 root root 664 Oct 11 11:25 uwsgi_params.default
-rw-r–r-- 1 root root 664 Oct 11 11:25 uwsgi_params
-rw-r–r-- 1 root root 636 Oct 11 11:25 scgi_params.default
-rw-r–r-- 1 root root 636 Oct 11 11:25 scgi_params
-rw-r–r-- 1 root root 2656 Oct 11 11:25 nginx.conf.default
-rw-r–r-- 1 root root 2858 Oct 11 11:31 nginx.conf
-rw-r–r-- 1 root root 49 Oct 11 11:34 ht.passwd
root@wangwei830:/usr/local/nginx/conf# cat ht.passwd
prometheus:$apr1$I4SCAru/$V/dPxG0XX3sCUR01bJ6qF/
root@wangwei830:/usr/local/nginx/conf#

（三）解决prometheus部署在公网IP上的安全认证问题

osc_8db3mwb5
2020/10/15 12:39
阅读数 1.9K

prometheus相比于zabbix在网站登录的时候没有账密认证，就导致访问ip端口的时候会把自身监控的信息全部暴露出去。因此prometheus的部署建议是不要部署在公网上，另外就是开启认证了。所谓的认证就是在登陆的时候提示输入账号密码。在这里我们是通过nginx上的HTTP Basic Auth来实现。

1、部署nginx，忽略。

2、安装apache-htpasswd工具

~:yum -y install httpd-tools

3、创建账号密码

~:cd /usr/local/nginx/conf/
~:htpasswd -c ht.passwd prometheus
New password:
Re-type new password:
Adding password for user prometheus

4、在nginx.conf里面编辑反向代理

server {

listen 19090;

location / {


	proxy_pass http://localhost:9090;
	auth_basic "Basic Authentication";
	auth_basic_user_file "ht.passwd";
}

}

这里要提一下，反向代理为什么要用http://localhost:9090，我这里的prometheus和nginx是部署在同一台服务器上的，同时在请求9090的时候，只允许该台服务器的ip访问。

5、修改prometheus.yml文件
在编辑prometheus.yml文件之前，先在prometheus目录下执行

~:./prometheus --config.file=./prometheus.yml --web.external-url=http://localhost:19090 --web.route-prefix="/" --web.enable-lifecycle --web.listen-address=“localhost:9090”

目的是使prometheus对外的端口是19090，同时设置9090端口是为了对接nginx上的反向代理。

~:vim prometheus.yml
static_configs:
- targets: [‘xxx.xxx.xxx.xxx:19090’]
basic_auth:
username: prometheus
password: 密码

6、重启prometheus
另外，这个时候如果grafana的监控出现问题的时候，需要重新添加prometheus的地址，并且点开Basic Auth，把刚刚设置的账号密码添加进去。