Security Features Provided by Prometheus

When operating Prometheus, many operators choose to use a reverse proxy to secure its endpoints. Indeed, the Prometheus server APIs are exposed over HTTP, which makes them easy to integrate into any HTTP-capable reverse proxy.

Prometheus itself supports server-side security, making it possible to either directly expose a secured version of Prometheus to the users or secure the traffic between Prometheus and these reverse proxies.

Server-side security as described in this chapter applies to the Prometheus server and most of the official exporters. The same command-line flags and options can be shared between these, so what follows applies to more than just Prometheus.

The options described in this chapter require a dedicated file, whose path can be passed as --web.config.file. On each request, the file is read, which means that it is not needed to reload Prometheus or the exporter to apply changes.

Enabling TLS

TLS is widely used in the network area to secure communications between clients and servers. Without going into too much detail, TLS enables the client to validate that the server they connect to is recognized by a known certificate authority (CA), and then encrypt the subsequent traffic. It is also possible to use TLS to authenticate clients by forcing them to also present a valid ...