Basic Auth for the exporter_exporter binary itself

[drpixel972]

Hello,

I think that exporter_exporter binary should provide basic authentication support. Coupled with tls config, it will help to better secure the unsecured exporter that exist still without relying to apache or nginx. That said, to serve the unsecured exporter via exporter_exporter is more secure than the exporter itself, but I believe that the authentication may add a stronger security.

Best Regards, Christophe

[britcey]

Note that you can require client certs to secure access to exporter_exporter, which is more secure than basic auth.

e.g.,

-web.tls.ca=/etc/prometheus/ssl/Prometheus_CA.crt -web.tls.verify -web.tls.certmatch=^prometheus$

would require a client cert with the cn of 'prometheus', signed by the specified CA.

[drpixel972]

Oh great, thank you for the tip. I'll give it a look. Indeed this settings is more secure than basic auth. Best regards, Christophe

[drpixel972]

Hello, I've fully test the client certificate verification. It works great so no need to add the basic authentication, except for easy to setup security. The choice is yours :-) Best Regards, Christophe