一、说明
在basic_auth账号密码的基础上加上tls加密,密码密钥双保险。
二、配置
1、生成秘钥文件
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout prom-test.key -out prom-test.crt -subj \
"/C=CN/ST=Beijing/L=Beijing/O=/CN=localhost"
2、将tls密钥文件写入config.yml
vi /usr/local/prometheus/config.yml
basic_auth_users:
# 当前设置的用户名为admin, 可以设置多个
admin: $2y$12$mMnPuKlOQ97ff4NjDsQTMukAtRS/ILpjxjEQrCN0vefs0CBLe/hi6
tls_server_config: # TLS加密
cert_file: prom-test.crt
key_file: prom-test.key
#将秘钥文件放在和config.yml同级目录
3、修改prometheus.yml
scrape_configs:
- job_name: 'prometheus'
basic_auth:
username: admin
password: 123456
#新增tls配置
scheme: https
tls_config:
ca_file: prom-test.crt #crt文件名
insecure_skip_verify: true # 跳过不安全认证
static_configs:
- targets: ['192.168.10.131:9090']
4、启动并测试
1、启动
/usr/local/prometheus/prometheus \
--config.file=/usr/local/prometheus/prometheus.yml \
--web.config.file=/usr/local/prometheus/config.yml \
--storage.tsdb.path="/usr/local/prometheus/data" \
--storage.tsdb.retention=15d \
--web.console.templates="/usr/local/prometheus/consoles" \
--web.console.libraries="/usr/local/prometheus/console_libraries" \
--web.max-connections=512 \
--web.external-url
--web.listen-address=192.168.10.131:9090 &>/usr/local/prometheus/prometheus.log &
2、测试http协议
"Client sent an HTTP request to an HTTPS server."
3、测试https协议
会出现登录弹窗,输入账号密码登录之后检查target
三、对接grafana
数据源配置处修改http-url,新增勾选"Basic auth"、"TLS Client Auth"、"Skip TLS Verify"
1、配置Basic Auth Details
2、TLS/SSL Auth Details
填写ServerName,将生成的crt、key文件内密钥信息填写入Client Cert、Client Key文本框内
3、勾选Skip TLS Verify
如果不勾选,save的时候会报错"HTTP Error Bad Gateway"