InfluxDB metrics is visible in frontend UI. How to restrict it?

Question

We have installed the InfluxDB time series database and we would like to restrict users to access /metrics /debug/pprof/all and several other sensitive URLs which don't require login.

Can someone please suggest a way how we can restrict them apart from the actual DB monitoring UI running by default on 8086 port?

score 1 · Answer 1 · answered Jul 04 '23 at 09:12

1

In InfluxDB V1.x, you could try to update these configurations:

  pprof-enabled = true
  pprof-auth-enabled = false
  debug-pprof-enabled = false

More details could be found here.

In InfluxDB V2.X (the link you shared indicates that you are probably using V2.X), you could try following config options for controlling when the pprof endpoint was enabled:

Disable /debug/pprof. This endpoint provides runtime profiling data.

pprof-disabled: true

Disable /metrics. This endpoint exposes internal InfluxDB metrics.

metrics-disabled: true

See more details here.

To be safe you could also limit access to those urls to ::1/127.0.0.1 to be sure in Nginx:

# suppose you have InfluxDB UI endpoint as below
location /influxdb2/ {
    proxy_pass http://localhost:8086;
}

location /influxdb2/metrics/debug/pprof/all  {
    allow 127.0.0.1;
    allow ::1;
    deny all;
    proxy_pass http://localhost:8086//metrics/debug/pprof/all ;
}

# some other urls restrictions

answered Jul 04 '23 at 09:12

Munin

1,576
2
19

Thanks Munin. But I want to know where the file to limit access to those URLs is present. I feel like there could be other URLs which cannot be turned of simply by setting false. So do you have any idea? – RSSAH Jul 07 '23 at 07:46
That's why I present you the Nginx solution. Nginx could be used as a proxy or filter to intercept those HTTP traffic. – Munin Jul 07 '23 at 08:08
I'll check how I can use Nginx to intercept InfluxDB UI server. As of now, no idea. – RSSAH Jul 07 '23 at 10:33
Okay. One more doubt. How can we provide those config options inside influxdb conf file if we have influxdb version 2? I mean I am using docker image so I am not able to find influxdb conf file inside the container of it. Any help? – RSSAH Jul 07 '23 at 12:07
Regarding the Nginx, you could try the doc: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ and https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/ – Munin Jul 10 '23 at 05:53
In InfluxDB v2, "To customize the directory path of the configuration file, set the INFLUXD_CONFIG_PATH environment variable to your custom path." according to the doc: https://docs.influxdata.com/influxdb/v2.0/reference/config-options/#influxdb-configuration-file – Munin Jul 10 '23 at 05:55

InfluxDB metrics is visible in frontend UI. How to restrict it?

1 Answers1