Add ip restriction for the prometheus_client output (#4431)

This commit is contained in:
dupondje 2018-08-02 00:43:34 +02:00 committed by Greg
parent 199841a820
commit e1160c26bc
3 changed files with 34 additions and 2 deletions

View File

@ -747,6 +747,9 @@
# #basic_username = "Foo" # #basic_username = "Foo"
# #basic_password = "Bar" # #basic_password = "Bar"
# #
# ## IP Ranges which are allowed to access metrics
# #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
#
# ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration # ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
# # expiration_interval = "60s" # # expiration_interval = "60s"
# #

View File

@ -18,6 +18,9 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
basic_username = "Foo" basic_username = "Foo"
basic_password = "Bar" basic_password = "Bar"
# IP Ranges which are allowed to access metrics
ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
# Path to publish the metrics on, defaults to /metrics # Path to publish the metrics on, defaults to /metrics
path = "/metrics" path = "/metrics"

View File

@ -5,6 +5,7 @@ import (
"crypto/subtle" "crypto/subtle"
"fmt" "fmt"
"log" "log"
"net"
"net/http" "net/http"
"os" "os"
"regexp" "regexp"
@ -58,6 +59,7 @@ type PrometheusClient struct {
TLSKey string `toml:"tls_key"` TLSKey string `toml:"tls_key"`
BasicUsername string `toml:"basic_username"` BasicUsername string `toml:"basic_username"`
BasicPassword string `toml:"basic_password"` BasicPassword string `toml:"basic_password"`
IPRange []string `toml:"ip_range"`
ExpirationInterval internal.Duration `toml:"expiration_interval"` ExpirationInterval internal.Duration `toml:"expiration_interval"`
Path string `toml:"path"` Path string `toml:"path"`
CollectorsExclude []string `toml:"collectors_exclude"` CollectorsExclude []string `toml:"collectors_exclude"`
@ -84,6 +86,9 @@ var sampleConfig = `
#basic_username = "Foo" #basic_username = "Foo"
#basic_password = "Bar" #basic_password = "Bar"
## IP Ranges which are allowed to access metrics
#ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
## Interval to expire metrics and not deliver to prometheus, 0 == no expiration ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
# expiration_interval = "60s" # expiration_interval = "60s"
@ -96,7 +101,7 @@ var sampleConfig = `
string_as_label = true string_as_label = true
` `
func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler { func (p *PrometheusClient) auth(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if p.BasicUsername != "" && p.BasicPassword != "" { if p.BasicUsername != "" && p.BasicPassword != "" {
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
@ -110,6 +115,27 @@ func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
} }
} }
if len(p.IPRange) > 0 {
matched := false
remoteIPs, _, _ := net.SplitHostPort(r.RemoteAddr)
remoteIP := net.ParseIP(remoteIPs)
for _, iprange := range p.IPRange {
_, ipNet, err := net.ParseCIDR(iprange)
if err != nil {
http.Error(w, "Config Error in ip_range setting", 500)
return
}
if ipNet.Contains(remoteIP) {
matched = true
break
}
}
if !matched {
http.Error(w, "Not authorized", 401)
return
}
}
h.ServeHTTP(w, r) h.ServeHTTP(w, r)
}) })
} }
@ -146,7 +172,7 @@ func (p *PrometheusClient) Start() error {
} }
mux := http.NewServeMux() mux := http.NewServeMux()
mux.Handle(p.Path, p.basicAuth(promhttp.HandlerFor( mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError}))) registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
p.server = &http.Server{ p.server = &http.Server{