add authorization header option for metrics http endpoint

2026-01-23 02:34:58 +00:00 · 2021-04-09 19:06:51 +02:00 · 2021-04-09 19:06:51 +02:00 · 986c3e5fa2
commit 986c3e5fa2
parent a985e0afec
4 changed files with 13 additions and 11 deletions
--- a/compose/config/edumeet-server-config.js
+++ b/compose/config/edumeet-server-config.js
@ -503,7 +503,8 @@ module.exports =
 		port       : 8889, // allocated port
 		quiet      : false, // include fewer labels
 		// aggregated metrics options
-		period     : 15 // update period (seconds)
+		period     : 15, // update period (seconds)
+		secret     : null // if set, checks the authorization header: `Bearer <secret>`
 	}
 	
 };
--- a/compose/config/prometheus.yml
+++ b/compose/config/prometheus.yml
@ -14,23 +14,17 @@ rule_files:
 # - "first.rules"
 # - "second.rules"

-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
 scrape_configs:
-# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
 - job_name: 'prometheus'
  scrape_interval: 15s
-  # metrics_path defaults to '/metrics'
-  # scheme defaults to 'http'.
  static_configs:
-  - targets: ['localhost:9090','node-exporter:9100','edumeet:8889']
+  - targets: ['localhost:9090','node-exporter:9100']
 - job_name: 'edumeet'
  scrape_interval: 15s
  metrics_path: /metrics
  scheme: http
-  #basic_auth:
-  #  username: <string>
-  #  password: <secret>
-  #  password_file: <string>
+  # authorization:
+  #   type: Bearer
+  #   credentials: "prometheus-secret"
  static_configs:
  - targets: ['edumeet:8889']
--- a/server/config/config.example.js
+++ b/server/config/config.example.js
@ -473,6 +473,7 @@ module.exports =
 		quiet      : false // include fewer labels
 		// aggregated metrics options
 		period     : 15 // update period (seconds)
+		secret     : null // if set, checks the authorization header: `Bearer <secret>`
 	}
 	*/
 };
--- a/server/lib/promExporter.js
+++ b/server/lib/promExporter.js
@ -51,6 +51,12 @@ module.exports = async function(rooms, peers, config)
 		app.get('/metrics', async (req, res) =>
 		{
 			logger.debug(`GET ${req.originalUrl}`);
+
+			if (config.secret && req.headers.authorization !== 'Bearer ' + config.secret)
+			{
+				logger.error(`Invalid authorization header`);
+				return res.status(401).end();
+			}
 		
 			res.set('Content-Type', registerAggregated.contentType);
 			const data = await registerAggregated.metrics();