search

QubitProducts / exporter_exporter

A reverse proxy designed for Prometheus exporters
Apache License 2.0
338 stars 55 forks source link

http without any restriction is always open #82

Closed lausser closed 2 years ago

lausser commented 2 years ago

Hi, i am running the exporter with this command line:

EXTERNAL_IP=$(curl -s ifconfig.me)
cajetan/bin/exporter_exporter \
  --config.file  /home/mon/cajetan/etc/exporter_exporter/expexp.yml \
  --log.level debug \
  --web.tls.cert cajetan/etc/exporter_exporter/prom_node_cert.pem \
  --web.tls.key cajetan/etc/exporter_exporter/prom_node_key.pem \
  --web.tls.ca cajetan/etc/exporter_exporter/prometheus_cert.pem \
  --web.tls.listen-address ${EXTERNAL_IP}:9999 \
  --web.listen-address ${EXTERNAL_IP}:1234 \
  --web.tls.verify \
  --web.tls.certmatch=^prometheus$

Https is fine

OMD[cajetan@admin]:~$ curl --cert ~/clients/Debian/20/x86_64/etc/exporter_exporter/prometheus_cert.pem \
     --key ~/etc/prometheus/ssl/prometheus_key.pem \
    --cacert ~/clients/Debian/20/x86_64/etc/exporter_exporter/prom_node_cert.pem \
    --resolve prom_node:9999:11.203.192.54 -vvv https://prom_node:9999/metrics
...
# HELP build_info A metric with a constant '1' value labeled by version, revision, branch and goversion from which exporter_exporter was built.
# TYPE build_info gauge
build_info{branch="",goversion="go1.17",revision="",version="0.4.5"} 1

using any other certificate/key fails as expected:

OMD[cajetan@admin]:~$ curl --cert /tmp/prometheus_cert.pem \
    --key /tmp/prometheus_key.pem \
    --cacert ~/clients/Debian/20/x86_64/etc/exporter_exporter/prom_node_cert.pem \
    --resolve prom_node:9999:11.203.192.54 \
    -vvv https://prom_node:9999/metrics
...
* TLSv1.3 (IN), TLS alert, bad certificate (554):
* OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
* Closing connection 0

But: the http-port is still wide open for everybody:

OMD[cajetan@admin]:~$curl http://11.203.192.54:1234/metrics
# HELP build_info A metric with a constant '1' value labeled by version, revision, branch and goversion from which exporter_exporter was built.
# TYPE build_info gauge
build_info{branch="",goversion="go1.17",revision="",version="0.4.5"} 1
...

I don't see a way to close the http port. If i leave --web.listen-address, then it opens the default port 9999. The only way to block the http access is a firewall rule. Am i missing something here?

tcolgate commented 2 years ago

--web.listen-address="" should do what you want, depends a bit on your shell or config format of you are using to run the exporter, but setting that to an empty string disables the listener.

lausser commented 2 years ago

Thank you, that did the trick!