You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apisix.apache.org by Zexuan Luo <sp...@apache.org> on 2021/04/01 10:29:49 UTC
Export Prometheus metrics in a new address
Currently, the Prometheus metrics are exported via the data panel's port.
It means the metrics can be accessed from the public internet by default.
Although we can configure some rules to block it, this behavior is not
safe by default.
Therefore we need to provide a new address to export the metrics.
My suggestion is to export the metrics in "127.0.0.1:9091". The
configuration is like that:
```
prometheus:
export_uri: /apisix/prometheus/metrics
export_address:
ip: "127.0.0.1"
port: 9091
```
If people comment out the `export_address` field, the metrics will be
exported like before.
If people do nothing, the metrics will be exported in a new address,
which is a break change but avoids security risk.
Re: Export Prometheus metrics in a new address
Posted by YuanSheng Wang <me...@apache.org>.
+1 for this too
On Sat, Apr 3, 2021 at 2:59 PM Sheng Wu <wu...@gmail.com> wrote:
> SkyWalking tracer has its own configuration about target.
>
> Chao Zhang <zc...@gmail.com>于2021年4月3日 周六上午11:28写道:
>
> > Are there any other types of data that also should be kept sensitive
> > like Prometheus metrics?
> > If so, we may have a generic way to protect them? If not, the current
> > implementation looks good to me.
> >
> --
> Sheng Wu 吴晟
>
> Apache SkyWalking
> Apache Incubator
> Apache ShardingSphere, ECharts, DolphinScheduler podlings
> Zipkin
> Twitter, wusheng1108
>
--
*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix
Re: Export Prometheus metrics in a new address
Posted by Sheng Wu <wu...@gmail.com>.
SkyWalking tracer has its own configuration about target.
Chao Zhang <zc...@gmail.com>于2021年4月3日 周六上午11:28写道:
> Are there any other types of data that also should be kept sensitive
> like Prometheus metrics?
> If so, we may have a generic way to protect them? If not, the current
> implementation looks good to me.
>
--
Sheng Wu 吴晟
Apache SkyWalking
Apache Incubator
Apache ShardingSphere, ECharts, DolphinScheduler podlings
Zipkin
Twitter, wusheng1108
Re: Export Prometheus metrics in a new address
Posted by Chao Zhang <zc...@gmail.com>.
Are there any other types of data that also should be kept sensitive
like Prometheus metrics?
If so, we may have a generic way to protect them? If not, the current
implementation looks good to me.
Re: Export Prometheus metrics in a new address
Posted by Zhiyuan Ju <ju...@apache.org>.
Got it, +1
Ming Wen <we...@apache.org>于2021年4月1日 周四下午6:32写道:
> +1 for this.
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
>
> Zexuan Luo <sp...@apache.org> 于2021年4月1日周四 下午6:30写道:
>
> > Currently, the Prometheus metrics are exported via the data panel's port.
> >
> > It means the metrics can be accessed from the public internet by default.
> >
> > Although we can configure some rules to block it, this behavior is not
> > safe by default.
> >
> > Therefore we need to provide a new address to export the metrics.
> >
> > My suggestion is to export the metrics in "127.0.0.1:9091". The
> > configuration is like that:
> >
> > ```
> > prometheus:
> > export_uri: /apisix/prometheus/metrics
> > export_address:
> > ip: "127.0.0.1"
> > port: 9091
> > ```
> >
> > If people comment out the `export_address` field, the metrics will be
> > exported like before.
> >
> > If people do nothing, the metrics will be exported in a new address,
> > which is a break change but avoids security risk.
> >
>
--
来自 琚致远
Re: Export Prometheus metrics in a new address
Posted by Ming Wen <we...@apache.org>.
+1 for this.
Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing
Zexuan Luo <sp...@apache.org> 于2021年4月1日周四 下午6:30写道:
> Currently, the Prometheus metrics are exported via the data panel's port.
>
> It means the metrics can be accessed from the public internet by default.
>
> Although we can configure some rules to block it, this behavior is not
> safe by default.
>
> Therefore we need to provide a new address to export the metrics.
>
> My suggestion is to export the metrics in "127.0.0.1:9091". The
> configuration is like that:
>
> ```
> prometheus:
> export_uri: /apisix/prometheus/metrics
> export_address:
> ip: "127.0.0.1"
> port: 9091
> ```
>
> If people comment out the `export_address` field, the metrics will be
> exported like before.
>
> If people do nothing, the metrics will be exported in a new address,
> which is a break change but avoids security risk.
>
Re: Export Prometheus metrics in a new address
Posted by Sheng Wu <wu...@gmail.com>.
+1 make sense to me
Zexuan Luo <sp...@apache.org>于2021年4月1日 周四下午6:30写道:
> Currently, the Prometheus metrics are exported via the data panel's port.
>
> It means the metrics can be accessed from the public internet by default.
>
> Although we can configure some rules to block it, this behavior is not
> safe by default.
>
> Therefore we need to provide a new address to export the metrics.
>
> My suggestion is to export the metrics in "127.0.0.1:9091". The
> configuration is like that:
>
> ```
> prometheus:
> export_uri: /apisix/prometheus/metrics
> export_address:
> ip: "127.0.0.1"
> port: 9091
> ```
>
> If people comment out the `export_address` field, the metrics will be
> exported like before.
>
> If people do nothing, the metrics will be exported in a new address,
> which is a break change but avoids security risk.
>
--
Sheng Wu 吴晟
Apache SkyWalking
Apache Incubator
Apache ShardingSphere, ECharts, DolphinScheduler podlings
Zipkin
Twitter, wusheng1108