In this sandbox, HAProxy acts as a reverse proxy for Prometheus, enforcing both TLS encryption and basic auth. All Prometheus endpoints are available behind https://example.com/prometheus. The expression browser, for example, is available at https://example.com/prometheus/graph.
To access Prometheus in this sandbox, two username/password combos are possible:
admin1/password1andadmin2/password2.
To start the sandbox:
# In the foreground
make run # docker-compose up --build
# In detached mode
make run-detached # docker-compose up --build --detachThis will start up an haproxy container and a prometheus container.
The haproxy container is available on localhost port 443 but the example will only work if you map localhost to example.com. You can do so by modifying your /etc/hosts file to include a line like this:
127.0.0.1 localhost example.com
As HAProxy enforces both TLS encryption and basic auth, this will result in a self-signed certificate error:
curl https://example.com/prometheus/metricsIf you disable cert checking using --insecure/-k you'll get a 401 Unauthorized error:
curl -ik https://example.com/prometheus/graphYou'll need to supply an valid username and password to access Prometheus through the proxy:
curl -ik -u admin1:password1 https://example.com/prometheus/metricsOpen up https://admin1:password1@example.com/prometheus/graph to access the Prometheus expression browser.
| Folder | Assets |
|---|---|
certs |
An SSL cert and key generated by OpenSSL |
haproxy |
An haproxy.cfg configuration file |
prometheus |
A prometheus.yml configuration file for Prometheus |
The haproxy cert was created using these commands:
openssl req -newkey rsa:4096 -nodes -keyout certs/key.pem -x509 -out certs/certificate.pem \
-subj "/C=US/ST=OR/L=Portland/O=CNCF/OU=Developer advocacy/CN=example.com"
cat certs/{certificate,key}.pem > certs/cert.pem
rm certs/{certificate,key}.pemThe hashed passwords in haproxy.cfg were created using these commands:
mkpasswd -m sha-512 password1
mkpasswd -m sha-512 password2