In this sandbox, nginx acts as a reverse proxy for Prometheus, enforcing both TLS encryption and basic auth. All Prometheus endpoints are available behind https://example.com/prometheus. The expression browser, for example, is available at https://example.com/prometheus/graph.
To access Prometheus in this sandbox, the proper username/password combo is
admin/password.
To start the sandbox:
# In the foreground
make run # docker-compose up --build
# In detached mode
make run-detached # docker-compose up --build --detachThis will start up an nginx container and a prometheus container.
To kill the sandbox, run
make kill(alias fordocker-compose kill).
The nginx container is available on localhost port 443 but the example will only work if you map localhost to example.com. You can do so by modifying your /etc/hosts file to include a line like this:
127.0.0.1 localhost example.com
As nginx enforces both TLS encryption and basic auth, this will result in a self-signed certificate error:
curl https://example.com/prometheus/metricsIf you disable cert checking using --insecure/-k you'll get a 401 Unauthorized error:
curl -ik https://example.com/prometheus/metricsYou'll need to supply the username and password to access Prometheus through the proxy:
curl -ik -u admin:password https://example.com/prometheus/metricsOpen up https://admin:[email protected]/prometheus/graph to access the Prometheus expression browser.
| Folder | Assets |
|---|---|
certs |
An SSL cert and key generated by OpenSSL |
haproxy |
An haproxy.cfg configuration file and .htpasswd password file |
prometheus |
A prometheus.yml configuration file for Prometheus |
The nginx certs were created using this command:
openssl req -newkey rsa:4096 -nodes -keyout certs/example.com.key -x509 -out certs/example.com.crt \
-subj "/C=US/ST=OR/L=Portland/O=CNCF/OU=Developer advocacy/CN=example.com"