In this sandbox, HAProxy acts as a reverse proxy for Prometheus, enforcing both TLS encryption and basic auth. All Prometheus endpoints are available behind https://example.com/prometheus. The expression browser, for example, is available at https://example.com/prometheus/graph.
To access Prometheus in this sandbox, two username/password combos are possible:
admin1
/password1
andadmin2
/password2
.
To start the sandbox:
# In the foreground
make run # docker-compose up --build
# In detached mode
make run-detached # docker-compose up --build --detach
This will start up an haproxy
container and a prometheus
container.
The haproxy
container is available on localhost
port 443 but the example will only work if you map localhost
to example.com
. You can do so by modifying your /etc/hosts
file to include a line like this:
127.0.0.1 localhost example.com
As HAProxy enforces both TLS encryption and basic auth, this will result in a self-signed certificate error:
curl https://example.com/prometheus/metrics
If you disable cert checking using --insecure
/-k
you'll get a 401 Unauthorized
error:
curl -ik https://example.com/prometheus/graph
You'll need to supply an valid username and password to access Prometheus through the proxy:
curl -ik -u admin1:password1 https://example.com/prometheus/metrics
Open up https://admin1:[email protected]/prometheus/graph
to access the Prometheus expression browser.
Folder | Assets |
---|---|
certs |
An SSL cert and key generated by OpenSSL |
haproxy |
An haproxy.cfg configuration file |
prometheus |
A prometheus.yml configuration file for Prometheus |
The haproxy cert was created using these commands:
openssl req -newkey rsa:4096 -nodes -keyout certs/key.pem -x509 -out certs/certificate.pem \
-subj "/C=US/ST=OR/L=Portland/O=CNCF/OU=Developer advocacy/CN=example.com"
cat certs/{certificate,key}.pem > certs/cert.pem
rm certs/{certificate,key}.pem
The hashed passwords in haproxy.cfg
were created using these commands:
mkpasswd -m sha-512 password1
mkpasswd -m sha-512 password2