Prometheus 采集配置踩坑实例-监控带用户名密码的接口

  • A+
所属分类:安全文章

Prometheus 采集配置踩坑实例-监控带用户名密码的接口"NightTeam",一个值得加星标Prometheus 采集配置踩坑实例-监控带用户名密码的接口的公众号。


Prometheus 采集配置踩坑实例-监控带用户名密码的接口

这篇文章的主要目的是告诉大家如何配置 Prometheus,使得它可以从指定的 Web Api 接口采集指标数据。文章中用到的案例是 NGINX 的采集配置,从设定了用户名和密码的 NGINX 数据指标页中采集数据,因此这篇文章的副标题可能是 nginx 的 prometheus 采集配置或者prometheus 采集 basic auth 的 nginx

Prometheus 采集配置踩坑实例-监控带用户名密码的接口

上图是配置完成后,在 Grafana 配置了模板的效果。

使用过 Prometheus 的朋友想必都知道如何配置 address:port 类服务,例如收集某个 Redis 的相关信息时,配置可以这么写:


  - job_name: 'redis'    static_configs:    - targets: ['11.22.33.58:6087']


注释:以上案例中假设 Redis Exporter 的 地址和端口是 11.22.33.58:6087。

这种是最简单,也是最为人熟知的办法。但是如果要监控指定的 Web API,可就不能这么写了。如果你没有看到这篇文章,你可能会在搜索引擎里面这么搜:

Prometheus 监控 Web Prometheus scrape Web Prometheus 监控接口Prometheus 监控指定 APIPrometheus API 配置Prometheus 域名 配置Prometheus basic authPrometheus 接口 用户名 密码

但很不幸的是,搜不到什么有效信息(现在是 2021 年 03 月),能找到的基本上都是坑。

条件假设

假设我们现在需要从地址为 https://www.weishidong.com//status/format/prometheus 的接口收集相关的 Prometheus 监控指标,并且这个接口使用了 basic auth(假定用户名为 weishidong,密码为 0099887kk)进行基本的权限校验。

配置实践操作

按照之前见到的 Prometheus 配置填写的话,很有可能把配置写成这样:


  - job_name: 'web'    static_configs:    - targets: ['http://www.weishidong.com/status/format/prometheus']    basic_auth:      username: weishidong      password: 0099887kk


保存配置文件并重启服务后你就会发现,这样是收集不到数据的,简直糟糕。

官方配置指南

刚才的操作真的是糟糕透了,遇到不懂的问题时,我们当然是去翻官方文档了->Prometheus Configuration[1]。阅读时推荐自上而下,不过如果你比较着急,可以直接来到  采集配置[2] 这个部分。官方给出的示例如下(内容太多,这里只保留跟本文相关的部分,建议大家去看原文):


# The job name assigned to scraped metrics by default.job_name: <job_name>
# How frequently to scrape targets from this job.[ scrape_interval: <duration> | default = <global_config.scrape_interval> ]
# Per-scrape timeout when scraping this job.[ scrape_timeout: <duration> | default = <global_config.scrape_timeout> ]
# The HTTP resource path on which to fetch metrics from targets.[ metrics_path: <path> | default = /metrics ]
# honor_labels controls how Prometheus handles conflicts between labels that are# already present in scraped data and labels that Prometheus would attach# server-side ("job" and "instance" labels, manually configured target# labels, and labels generated by service discovery implementations).## If honor_labels is set to "true", label conflicts are resolved by keeping label# values from the scraped data and ignoring the conflicting server-side labels.## If honor_labels is set to "false", label conflicts are resolved by renaming# conflicting labels in the scraped data to "exported_<original-label>" (for# example "exported_instance", "exported_job") and then attaching server-side# labels.## Setting honor_labels to "true" is useful for use cases such as federation and# scraping the Pushgateway, where all labels specified in the target should be# preserved.## Note that any globally configured "external_labels" are unaffected by this# setting. In communication with external systems, they are always applied only# when a time series does not have a given label yet and are ignored otherwise.[ honor_labels: <boolean> | default = false ]
# honor_timestamps controls whether Prometheus respects the timestamps present# in scraped data.## If honor_timestamps is set to "true", the timestamps of the metrics exposed# by the target will be used.## If honor_timestamps is set to "false", the timestamps of the metrics exposed# by the target will be ignored.[ honor_timestamps: <boolean> | default = true ]
# Configures the protocol scheme used for requests.[ scheme: <scheme> | default = http ]
# Optional HTTP URL parameters.params: [ <string>: [<string>, ...] ]
# Sets the `Authorization` header on every scrape request with the# configured username and password.# password and password_file are mutually exclusive.basic_auth: [ username: <string> ] [ password: <secret> ] [ password_file: <string> ]
# Sets the `Authorization` header on every scrape request with# the configured bearer token. It is mutually exclusive with `bearer_token_file`.[ bearer_token: <secret> ]
# Sets the `Authorization` header on every scrape request with the bearer token# read from the configured file. It is mutually exclusive with `bearer_token`.[ bearer_token_file: <filename> ]


如果你认真看的话,应该会关注到几个关键信息:metrics_pathbasic_auth。其中,metrics_path 用于指定 HTTP 类指标信息采集时的路由地址,默认值是 /metrics;字段 basic_auth 则是用来进行权限验证的,而且密码这里可以指定密码文件,而不是直接填写明文(一般来说,指定密码文件的安全性稍高与明文)。

有效的配置

根据官方文档的指引,我们很快便可以推导出正确的配置写法:


- job_name: 'web'    metrics_path: /status/format/prometheus    static_configs:    - targets: ['www.weishidong.com']    basic_auth:      username: weishidong      password: 0099887kk


要注意的是,这里并不需要填写 http:// 字样,因为 Prometheus 默认的 Scheme 就是 http。如果地址的 Scheme 是 https 的话,按照文档指引,我们需要添加 scheme 字段,对应的配置为:


- job_name: 'web'    metrics_path: /status/format/prometheus    static_configs:    - targets: ['www.weishidong.com']    scheme: https    basic_auth:      username: weishidong      password: 0099887kk


前往韦世东的技术专栏https://www.weishidong.com 收获爬虫架构/爬虫逆向/存储引擎/消息队列/Python/Golang相关知识

References

[1] Prometheus Configuration: https://prometheus.io/docs/prometheus/latest/configuration/configuration/
[2] 采集配置: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config


点击下方阅读原文可跳转到韦世东的技术专栏

本文始发于微信公众号(NightTeam):Prometheus 采集配置踩坑实例-监控带用户名密码的接口

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: