Add ip restriction for the prometheus_client output (#4431)
This commit is contained in:
parent
199841a820
commit
e1160c26bc
|
@ -747,6 +747,9 @@
|
||||||
# #basic_username = "Foo"
|
# #basic_username = "Foo"
|
||||||
# #basic_password = "Bar"
|
# #basic_password = "Bar"
|
||||||
#
|
#
|
||||||
|
# ## IP Ranges which are allowed to access metrics
|
||||||
|
# #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
|
||||||
|
#
|
||||||
# ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
|
# ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
|
||||||
# # expiration_interval = "60s"
|
# # expiration_interval = "60s"
|
||||||
#
|
#
|
||||||
|
|
|
@ -18,6 +18,9 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
|
||||||
basic_username = "Foo"
|
basic_username = "Foo"
|
||||||
basic_password = "Bar"
|
basic_password = "Bar"
|
||||||
|
|
||||||
|
# IP Ranges which are allowed to access metrics
|
||||||
|
ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
|
||||||
|
|
||||||
# Path to publish the metrics on, defaults to /metrics
|
# Path to publish the metrics on, defaults to /metrics
|
||||||
path = "/metrics"
|
path = "/metrics"
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"crypto/subtle"
|
"crypto/subtle"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"regexp"
|
"regexp"
|
||||||
|
@ -58,6 +59,7 @@ type PrometheusClient struct {
|
||||||
TLSKey string `toml:"tls_key"`
|
TLSKey string `toml:"tls_key"`
|
||||||
BasicUsername string `toml:"basic_username"`
|
BasicUsername string `toml:"basic_username"`
|
||||||
BasicPassword string `toml:"basic_password"`
|
BasicPassword string `toml:"basic_password"`
|
||||||
|
IPRange []string `toml:"ip_range"`
|
||||||
ExpirationInterval internal.Duration `toml:"expiration_interval"`
|
ExpirationInterval internal.Duration `toml:"expiration_interval"`
|
||||||
Path string `toml:"path"`
|
Path string `toml:"path"`
|
||||||
CollectorsExclude []string `toml:"collectors_exclude"`
|
CollectorsExclude []string `toml:"collectors_exclude"`
|
||||||
|
@ -84,6 +86,9 @@ var sampleConfig = `
|
||||||
#basic_username = "Foo"
|
#basic_username = "Foo"
|
||||||
#basic_password = "Bar"
|
#basic_password = "Bar"
|
||||||
|
|
||||||
|
## IP Ranges which are allowed to access metrics
|
||||||
|
#ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
|
||||||
|
|
||||||
## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
|
## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
|
||||||
# expiration_interval = "60s"
|
# expiration_interval = "60s"
|
||||||
|
|
||||||
|
@ -96,7 +101,7 @@ var sampleConfig = `
|
||||||
string_as_label = true
|
string_as_label = true
|
||||||
`
|
`
|
||||||
|
|
||||||
func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
|
func (p *PrometheusClient) auth(h http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
if p.BasicUsername != "" && p.BasicPassword != "" {
|
if p.BasicUsername != "" && p.BasicPassword != "" {
|
||||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||||
|
@ -110,6 +115,27 @@ func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(p.IPRange) > 0 {
|
||||||
|
matched := false
|
||||||
|
remoteIPs, _, _ := net.SplitHostPort(r.RemoteAddr)
|
||||||
|
remoteIP := net.ParseIP(remoteIPs)
|
||||||
|
for _, iprange := range p.IPRange {
|
||||||
|
_, ipNet, err := net.ParseCIDR(iprange)
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, "Config Error in ip_range setting", 500)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ipNet.Contains(remoteIP) {
|
||||||
|
matched = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !matched {
|
||||||
|
http.Error(w, "Not authorized", 401)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
h.ServeHTTP(w, r)
|
h.ServeHTTP(w, r)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -146,7 +172,7 @@ func (p *PrometheusClient) Start() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
mux := http.NewServeMux()
|
mux := http.NewServeMux()
|
||||||
mux.Handle(p.Path, p.basicAuth(promhttp.HandlerFor(
|
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
|
||||||
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
|
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
|
||||||
|
|
||||||
p.server = &http.Server{
|
p.server = &http.Server{
|
||||||
|
|
Loading…
Reference in New Issue