Securing Prometheus API and UI endpoints using TLS encryption

    Let’s say that you want to run a Prometheus instance behind an nginx server available at the domain (which you own), and for all Prometheus endpoints to be available via the /prometheus endpoint. The full URL for Prometheus’ /metrics endpoint would thus be:

    Let’s also say that you’ve generated the following using or an analogous tool:

    • an SSL certificate at /root/certs/example.com/example.com.crt
    1. mkdir -p /root/certs/example.com && cd /root/certs/example.com
    2. openssl req \
    3.   -x509 \
    4.   -newkey rsa:4096 \
    6.   -out example.com.crt

    Fill out the appropriate information at the prompts, and make sure to enter example.com at the Common Name prompt.

    Below is an example nginx.conf configuration file. With this configuration, nginx will:

    • enforce TLS encryption using your provided certificate and key
    • proxy all connections to the /prometheus endpoint to a Prometheus server running on the same host (while removing the /prometheus from the URL)
    1. sudo nginx -c /usr/local/etc/nginx/nginx.conf

    When running Prometheus behind the nginx proxy, you’ll need to set the external URL to and the route prefix to /:

    If you’d like to test out the nginx proxy locally using the example.com domain, you can add an entry to your /etc/hosts file that re-routes example.com to localhost:

    1. 127.0.0.1     example.com

    You can connect to the nginx server without specifying certs using the --insecure or -k flag: