Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Metrics endpoint to support TLS

See original GitHub issue

Hello! We’ve some requirements to expose metrics in an TLS endpoint. Simple HttpServer added this constructor in 0.7.0 to allow https server to be passed.

If we add conf to specify keystore and other related configs, we can create an HttpsServer in JavaAgent.

I’ve made it work here - https://github.com/senthilkumarkj/jmx_exporter/pull/1

However, I’m not sure what’s the best way to add the new configs for the server. Currently server related conf (host and port) are part of options itself.

I’ve a couple of proposals.

Add the new configs (such as TLSEnabled, Keystore path, password etc) in the same config file separated by yaml directive --- and config names prefixed with “server” like

---
serverTLSEnabled: true
serverKeyStorePath: <path>
serverKeyStorePassword: secret

But the problem is config file is parsed in collector only. We may need to parse the same file twice one in agent and one in collector.

Add a new server config file. This is what I’ve done in my CL. But I need to make sure if the server config isn’t given, agent should still work and shouldn’t complain to be backward compatible.

Please let me know your thoughts on this. Thanks!

Issue Analytics

State:
Created 4 years ago
Reactions:8
Comments:17 (6 by maintainers)

Top GitHub Comments

4reactions

al-barcommented, Dec 10, 2020

Hi all, I’d like to add to this discussion the request to consider adding also authentication to TLS support. The only solution I’ve found at the moment to fulfill the requirement to enrcrypt and authenticate the exposed metrics is to add a proxy in front of the jmx_exporter http interface to authenticate and add TLS, but I definitely need a lighter solution.

1reaction

dhoardcommented, Jul 20, 2022

@suyuyi Currently, using a reverse proxy with TLS/SSL is required. I have worked on some of the initial work for the feature, but I’m currently focused on other things, so haven’t revisited it.

Top Results From Across the Web

TLS encryption - Prometheus.io

Prometheus supports Transport Layer Security (TLS) encryption for connections to Prometheus instances (i.e. to the expression browser or HTTP API).

Add TLS to metric endpoints or disable metrics - Linkerd

Hello,. The mTLS known issue section mentions that the endpoints scraped by Prometheus are not TLS'd. Is there any way to enable TLS?...

Prometheus Server and TLS - Inuits

Prometheus supports TLS and basic authentication over its HTTP endpoints. Scraping target using HTTPS instead of HTTP has been supported for ...

Add mutual TLS to Prometheus endpoints

You can configure mutual TLS authentication when needed for the endpoints in your Prometheus OpenMetrics integration with New Relic. Add tls_config to your ......

Implementation of built-in support for TLS on the HTTP serving ...

The Prometheus Server HTTP serving endpoints currently do not support TLS. This means that access to the scraped and stored metrics via the...