Securing Prometheus API and UI endpoints using TLS encryption

    NOTE: Although TLS connections to Prometheus instances are not supported, TLS is supported for connections from Prometheus instances to scrape targets.

    Let’s say that you want to run a Prometheus instance behind an server available at the domain (which you own), and for all Prometheus endpoints to be available via the /prometheus endpoint. The full URL for Prometheus’ /metrics endpoint would thus be:

    Let’s also say that you’ve generated the following using OpenSSL or an analogous tool:

    • an SSL certificate at /root/certs/example.com/example.com.crt
    1. mkdir -p /root/certs/example.com && cd /root/certs/example.com
    2. openssl req \
    3.   -x509 \
    4.   -newkey rsa:4096 \
    5.   -nodes \
    6.   -out example.com.crt

    Fill out the appropriate information at the prompts, and make sure to enter example.com at the Common Name prompt.

    Below is an example configuration file. With this configuration, nginx will:

    • enforce TLS encryption using your provided certificate and key
    • proxy all connections to the /prometheus endpoint to a Prometheus server running on the same host (while removing the /prometheus from the URL)

    Start nginx as root (since nginx will need to bind to port 443):

    1. sudo nginx -c /usr/local/etc/nginx/nginx.conf

    When running Prometheus behind the nginx proxy, you’ll need to set the external URL to https://example.com/prometheus and the route prefix to /:

    If you’d like to test out the nginx proxy locally using the example.com domain, you can add an entry to your /etc/hosts file that re-routes example.com to localhost:

    1. 127.0.0.1     example.com

    You can then use cURL to interact with your local nginx/Prometheus setup: