0

i am trying to close port with basic authentication (for pushgateway of prometheus), so not a big specialist in nginx, so could someone please give me and advice where i am is wrong?

I have 9091 port, that should be closed from outside in front of auth. This port is under use by pushgateway

My current nginx config :

events { }
http {
upstream prometheus {
      server 127.0.0.1:9090;
      keepalive 64;
}

upstream pushgateway {
      server 127.0.0.1:9091;
      keepalive 64;
}

server {
      root /var/www/example;
      listen 0.0.0.0:80;
      server_name __;      
      location / {
            auth_basic "Prometheus server authentication2";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://prometheus;
      }  
}


server {
      root /var/www/example;
      listen 0.0.0.0:3001;          
      server_name __;      
      location / {
            auth_basic "Pushgateway server authentication";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://pushgateway;
      } 
}
}

So basic authentication works fine for :3001, but 9091 still open. I tried to change it next way :

   server {
      root /var/www/example;
      listen 0.0.0.0:3001;
      listen 0.0.0.0:9091;
      server_name __;      
      location / {
            auth_basic "Pushgateway server authentication";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://pushgateway;
      } 
}

And works fine, but ... pushgateway can't start as trying to listen :9091 and throwing "bind:address is already in use". How can i avoid it and hide pushgateway in front of nginx?

Pushgatewa's config :

ExecStart=/usr/local/bin/pushgateway --web.listen-address=":9091" --web.telemetry-path="/metrics"  --persistence.file="/tmp/metric.store"  --persistence.interval=5m --log.level="info" --log.format="logger:stdout?json=true"
Nigrimmist
  • 103
  • 3

1 Answers1

1

Your current nginx configuration is good for this purpose.

You need to change your Pushgateway configuration so that it listens to 127.0.0.1 instead of 0.0.0.0.

If you cannot find that, then you need to add a firewall rule that blocks traffic to the port from WAN side.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thanks for suggestion. It was i tried first. ExecStart=/usr/local/bin/pushgateway --web.listen-address="127.0.0.1:9091" --web.telemetry-path="/metrics" --persistence.file="/tmp/metric.store" --persistence.interval=5m --log.level="info" --log.format="logger:stdout?json=true", issue the same – Nigrimmist Feb 17 '22 at 20:44
  • What does `ss -lnpt | grep gateway` show? – Tero Kilkanen Feb 17 '22 at 20:50
  • It is with commented nginx line with listen 9091 : https://i.imgur.com/nA71xlt.png, with listening - it showing nothing as pushgateway can't start : https://i.imgur.com/2AMCyFs.png – Nigrimmist Feb 17 '22 at 20:58
  • You must not have the second configuration snippet in your question. nginx must not listen to that port. – Tero Kilkanen Feb 17 '22 at 21:59
  • Ok, but what i need to do to make this port not accessible from public access? – Nigrimmist Feb 17 '22 at 22:02
  • 1
    I have already told what to do. You use only the first part configuration in your question, and then configure Pushgateway to listen to only `127.0.0.1:9091`. This way, only Pushgateway is listening to port 9091, and since it is bound to localhost, it is not available externally. – Tero Kilkanen Feb 17 '22 at 22:12
  • Yeap... you are totaly right. Looks like when i tested 127.0.0.1:9091 - i did not restarted service correctly. rebooting whole node fixed it. Thank you a lot, man. – Nigrimmist Feb 17 '22 at 22:19