Skip to content

Latest commit

 

History

History
 
 

haproxy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

haproxy sandbox

In this sandbox, HAProxy acts as a reverse proxy for Prometheus, enforcing both TLS encryption and basic auth. All Prometheus endpoints are available behind https://example.com/prometheus. The expression browser, for example, is available at https://example.com/prometheus/graph.

To access Prometheus in this sandbox, two username/password combos are possible: admin1/password1 and admin2/password2.

Usage

To start the sandbox:

# In the foreground
make run # docker-compose up --build

# In detached mode
make run-detached # docker-compose up --build --detach

This will start up an haproxy container and a prometheus container.

The haproxy container is available on localhost port 443 but the example will only work if you map localhost to example.com. You can do so by modifying your /etc/hosts file to include a line like this:

127.0.0.1     localhost example.com

As HAProxy enforces both TLS encryption and basic auth, this will result in a self-signed certificate error:

curl https://example.com/prometheus/metrics

If you disable cert checking using --insecure/-k you'll get a 401 Unauthorized error:

curl -ik https://example.com/prometheus/graph

You'll need to supply an valid username and password to access Prometheus through the proxy:

curl -ik -u admin1:password1 https://example.com/prometheus/metrics

Open up https://admin1:[email protected]/prometheus/graph to access the Prometheus expression browser.

Assets

Folder Assets
certs An SSL cert and key generated by OpenSSL
haproxy An haproxy.cfg configuration file
prometheus A prometheus.yml configuration file for Prometheus

The haproxy cert was created using these commands:

openssl req -newkey rsa:4096 -nodes -keyout certs/key.pem -x509 -out certs/certificate.pem \
    -subj "/C=US/ST=OR/L=Portland/O=CNCF/OU=Developer advocacy/CN=example.com"
cat certs/{certificate,key}.pem > certs/cert.pem
rm certs/{certificate,key}.pem

The hashed passwords in haproxy.cfg were created using these commands:

mkpasswd -m sha-512 password1
mkpasswd -m sha-512 password2