You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by Zexuan Luo <sp...@apache.org> on 2021/04/01 10:29:49 UTC

Export Prometheus metrics in a new address

Currently, the Prometheus metrics are exported via the data panel's port.

It means the metrics can be accessed from the public internet by default.

Although we can configure some rules to block it, this behavior is not
safe by default.

Therefore we need to provide a new address to export the metrics.

My suggestion is to export the metrics in "127.0.0.1:9091". The
configuration is like that:

```
  prometheus:
    export_uri: /apisix/prometheus/metrics
    export_address:
      ip: "127.0.0.1"
      port: 9091
```

If people comment out the `export_address` field, the metrics will be
exported like before.

If people do nothing, the metrics will be exported in a new address,
which is a break change but avoids security risk.

Re: Export Prometheus metrics in a new address

Posted by YuanSheng Wang <me...@apache.org>.

+1 for this too



On Sat, Apr 3, 2021 at 2:59 PM Sheng Wu <wu...@gmail.com> wrote:

> SkyWalking tracer has its own configuration about target.
>
> Chao Zhang <zc...@gmail.com>于2021年4月3日 周六上午11:28写道：
>
> > Are there any other types of data that also should be kept sensitive
> > like Prometheus metrics?
> > If so, we may have a generic way to protect them? If not, the current
> > implementation looks good to me.
> >
> --
> Sheng Wu 吴晟
>
> Apache SkyWalking
> Apache Incubator
> Apache ShardingSphere, ECharts, DolphinScheduler podlings
> Zipkin
> Twitter, wusheng1108
>


-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix

Re: Export Prometheus metrics in a new address

Posted by Sheng Wu <wu...@gmail.com>.

SkyWalking tracer has its own configuration about target.

Chao Zhang <zc...@gmail.com>于2021年4月3日 周六上午11:28写道：

> Are there any other types of data that also should be kept sensitive
> like Prometheus metrics?
> If so, we may have a generic way to protect them? If not, the current
> implementation looks good to me.
>
-- 
Sheng Wu 吴晟

Apache SkyWalking
Apache Incubator
Apache ShardingSphere, ECharts, DolphinScheduler podlings
Zipkin
Twitter, wusheng1108

Re: Export Prometheus metrics in a new address

Posted by Chao Zhang <zc...@gmail.com>.

Are there any other types of data that also should be kept sensitive
like Prometheus metrics?
If so, we may have a generic way to protect them? If not, the current
implementation looks good to me.

Re: Export Prometheus metrics in a new address

Posted by Zhiyuan Ju <ju...@apache.org>.

Got it, +1

Ming Wen <we...@apache.org>于2021年4月1日 周四下午6:32写道：

> +1 for this.
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
>
> Zexuan Luo <sp...@apache.org> 于2021年4月1日周四 下午6:30写道：
>
> > Currently, the Prometheus metrics are exported via the data panel's port.
> >
> > It means the metrics can be accessed from the public internet by default.
> >
> > Although we can configure some rules to block it, this behavior is not
> > safe by default.
> >
> > Therefore we need to provide a new address to export the metrics.
> >
> > My suggestion is to export the metrics in "127.0.0.1:9091". The
> > configuration is like that:
> >
> > ```
> >   prometheus:
> >     export_uri: /apisix/prometheus/metrics
> >     export_address:
> >       ip: "127.0.0.1"
> >       port: 9091
> > ```
> >
> > If people comment out the `export_address` field, the metrics will be
> > exported like before.
> >
> > If people do nothing, the metrics will be exported in a new address,
> > which is a break change but avoids security risk.
> >
>
-- 
来自 琚致远

Re: Export Prometheus metrics in a new address

Posted by Ming Wen <we...@apache.org>.

+1 for this.

Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing


Zexuan Luo <sp...@apache.org> 于2021年4月1日周四 下午6:30写道：

> Currently, the Prometheus metrics are exported via the data panel's port.
>
> It means the metrics can be accessed from the public internet by default.
>
> Although we can configure some rules to block it, this behavior is not
> safe by default.
>
> Therefore we need to provide a new address to export the metrics.
>
> My suggestion is to export the metrics in "127.0.0.1:9091". The
> configuration is like that:
>
> ```
>   prometheus:
>     export_uri: /apisix/prometheus/metrics
>     export_address:
>       ip: "127.0.0.1"
>       port: 9091
> ```
>
> If people comment out the `export_address` field, the metrics will be
> exported like before.
>
> If people do nothing, the metrics will be exported in a new address,
> which is a break change but avoids security risk.
>

Re: Export Prometheus metrics in a new address

Posted by Sheng Wu <wu...@gmail.com>.

+1 make sense to me

Zexuan Luo <sp...@apache.org>于2021年4月1日 周四下午6:30写道：

> Currently, the Prometheus metrics are exported via the data panel's port.
>
> It means the metrics can be accessed from the public internet by default.
>
> Although we can configure some rules to block it, this behavior is not
> safe by default.
>
> Therefore we need to provide a new address to export the metrics.
>
> My suggestion is to export the metrics in "127.0.0.1:9091". The
> configuration is like that:
>
> ```
>   prometheus:
>     export_uri: /apisix/prometheus/metrics
>     export_address:
>       ip: "127.0.0.1"
>       port: 9091
> ```
>
> If people comment out the `export_address` field, the metrics will be
> exported like before.
>
> If people do nothing, the metrics will be exported in a new address,
> which is a break change but avoids security risk.
>
-- 
Sheng Wu 吴晟

Apache SkyWalking
Apache Incubator
Apache ShardingSphere, ECharts, DolphinScheduler podlings
Zipkin
Twitter, wusheng1108