0

I put prometheus server behind nginx reverse and the webpage of prometheus began to open by domain, everything is ok. But I can also open the prometheus webpage by specifying the server IP directly. How to make the prometheus webpage only accessible by domain, but not by ip address? Here is my nginx config.

upstream @prometheus {
    server 127.0.0.1:9090;
}

server {
    listen 80;
    listen [::]:80;
    server_name my-domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443;
    server_name my-domain.com;

    ssl_certificate         /etc/ssl/certs/ssl-cert-cf.pem;
    ssl_certificate_key     /etc/ssl/private/ssl-key-cf.pem;

    location / {
        gzip_types *;
        proxy_pass         http://@prometheus;
        proxy_set_header   Host               $host;
        proxy_set_header   X-Real-IP          $remote_addr;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host   $host:443;
        proxy_set_header   X-Forwarded-Server $host;
        proxy_set_header   X-Forwarded-Port   443;
        proxy_set_header   X-Forwarded-Proto  $scheme;
    }
}

Here is my prometheus.yml

global:
  scrape_interval:     15s # By default, scrape targets every 15 seconds.
  evaluation_interval: 15s # By default, scrape targets every 15 seconds.
  # scrape_timeout is set to the global default (10s).

  # Attach these labels to any time series or alerts when communicating with
  # external systems (federation, remote storage, Alertmanager).
  external_labels:
      monitor: 'example'

# Load and evaluate rules in this file every 'evaluation_interval' seconds.
rule_files:
  # - "first.rules"
  # - "second.rules"

# A scrape configuration containing exactly one endpoint to scrape: 
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # Override the global default and scrape targets from this job every 5 seconds.
    scrape_interval: 5s
    scrape_timeout: 10s

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    target_groups:
      - targets: ['localhost:9090']

  - job_name: node
    # If prometheus-node-exporter is installed, grab stats about the local
    # machine by default.
    target_groups:
      - targets: ['localhost:9100']
Zhiskar
  • 176
  • 4
  • 15

1 Answers1

1

Did you start prometheus with the web.listen-address parameter?

./node_exporter --web.listen-address 127.0.0.1:8080

Another way to go would be with a firewall where you only allow port 80/443 and 22(for SSH if you need it)

Nabero
  • 46
  • 3
  • Thanks a lot. Your answer help me to found a correct solution for my case. https://stackoverflow.com/a/59523208/5691643 – Zhiskar Jul 02 '21 at 17:45