Expose metrics using https

[milap-form3]

Is your feature request related to a problem? Please describe.
The /metrics endpoint exposed is only serving via http which is not within compliance and we require the traffic to be encrypted using https.

Describe the solution you'd like
Be able to enable https from configuration. We could add configuration options like:

namespace "cluster_ingress_proxy" {
  listen {
    port = 4040
    protocol=https
    ssl-server-cert="/path/to/tls.crt"
    ssl-server-key="/path/to/tls.key"
  }
}

Describe alternatives you've considered
There is not much of a alternative unless we add something proxying the https connection

Additional context

[jsabater]

I was looking for this feature as well. I have all my exporters connected via TLS and this is the exception. I think that adding scheme (default http) and cert and key inside the listen block would be a way to go, but there could also be the option to use the classic web.yml file other exporters use.

Example from my Node Exporter on the same LXC as my NGINX:

# Prometheus Node Exporter configuration
# See: https://prometheus.io/docs/prometheus/latest/configuration/https/

# Allow TLS connections
tls_server_config:
  cert_file: /etc/ssl/certs/domain.com.crt
  key_file: /etc/ssl/private/domain.com.key
  min_version: TLS12

# Enable HTTP/2 support
http_server_config:
  http2: true

[roberto-jobet-g2m]

@jsabater

What do you mean by "adding scheme (default http) and cert and key inside the listen block"?
In which config file?
Can you give an example related to the nginx log exporter?

[jsabater]

Hi, @roberto-jobet-g2m . At the moment I have the configuration file /etc/prometheus-nginxlog-exporter.hcl in the LXC running my NGINX server with the following content:

listen {
  port = 4040
  address = "0.0.0.0"
  metrics_endpoint = "/metrics"
}

namespace "default" {
  # Main (combined) log format
  format = "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$
http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\""

  source = {
    files = [
      "/var/log/nginx/access.log"
    ]
  }

  labels {
    format="combined"
    service_name = "nginx"
    environment = "production"
  }

  metrics_override = { prefix = "" }
  namespace_label = "vhost"
}

namespace "myapp.domain.com" {
  # APM log format
  format = "$remote_addr - $remote_user [$time_local] \"$request\" $request_length $request_time $status $bytes_sent $body_bytes_sent $sent_http_content_type \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\" $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time $upstream_connect_time $upstream_header_time $gzip_ratio $ssl_protocol $ssl_cipher $ssl_curve $ssl_early_data $request_id $request_method"

  source = {
    files = [
      "/var/log/nginx/myapp.domain.com.apm.log"
    ]
  }

  labels {
    format="apm"
    service_name = "myapp"
    environment = "production"
  }

  metrics_override = { prefix = "" }
  namespace_label = "vhost"
}

# [..]
}

My proposal, in line with what @milap-form3 suggested, would be to allow the listen block/dictionary to have the TLS details for an encrypted connection. An example would be:

listen {
  port = 4040
  address = "0.0.0.0"
  metrics_endpoint = "/metrics"
  scheme: "https"
  cert: "/etc/ssl/certs/domain.com.crt"
  key: "/etc/ssl/private/domain.com.key"
}

Moreover, when I provided the other example, I was talking about the usual web configuration /etc/prometheus/web.yml file of Prometheus and its exporters, in YAML format (which would have to be located elsewhere, such as /etc/prometheus/nginxlog_exporter.yml:

# Prometheus Node Exporter configuration
# See: https://prometheus.io/docs/prometheus/latest/configuration/https/

# Allow TLS connections
tls_server_config:
  cert_file: /etc/ssl/certs/domain.com.crt
  key_file: /etc/ssl/private/domain.com.key
  min_version: TLS12

# Enable HTTP/2 support
http_server_config:
  http2: true

Either would do. I suppose the first option would be easier to implement, of course.

Thanks.