Add ip restriction for the prometheus_client output

Sometimes you want to protect the exported /metrics path from the prometheus_client. It was already possible to secure it with a password. This patch adds the option to allow only defined CIDR ranges to access the /metrics.
influxdata · Jul 17, 2018 · dcc7d1c · dcc7d1c
1 parent 3218ed7
commit dcc7d1c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/etc/telegraf.conf b/etc/telegraf.conf
@@ -747,6 +747,9 @@
 #   #basic_username = "Foo"
 #   #basic_password = "Bar"
 #
+#   ## IP Ranges which are allowed to access metrics
+#   #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+#
 #   ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
 #   # expiration_interval = "60s"
 #

diff --git a/plugins/outputs/prometheus_client/README.md b/plugins/outputs/prometheus_client/README.md
@@ -18,6 +18,9 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
   basic_username = "Foo"
   basic_password = "Bar"
 
+  # IP Ranges which are allowed to access metrics
+  ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+
   # Path to publish the metrics on, defaults to /metrics
   path = "/metrics"   
 

diff --git a/plugins/outputs/prometheus_client/prometheus_client.go b/plugins/outputs/prometheus_client/prometheus_client.go
@@ -5,6 +5,7 @@ import (
 	"crypto/subtle"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"os"
 	"regexp"
@@ -58,6 +59,7 @@ type PrometheusClient struct {
 	TLSKey             string            `toml:"tls_key"`
 	BasicUsername      string            `toml:"basic_username"`
 	BasicPassword      string            `toml:"basic_password"`
+	IPRange            []string          `toml:"ip_range"`
 	ExpirationInterval internal.Duration `toml:"expiration_interval"`
 	Path               string            `toml:"path"`
 	CollectorsExclude  []string          `toml:"collectors_exclude"`
@@ -84,6 +86,9 @@ var sampleConfig = `
   #basic_username = "Foo"
   #basic_password = "Bar"
 
+  ## IP Ranges which are allowed to access metrics
+  #ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
+
   ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
   # expiration_interval = "60s"
 
@@ -96,7 +101,7 @@ var sampleConfig = `
   string_as_label = true
 `
 
-func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
+func (p *PrometheusClient) auth(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p.BasicUsername != "" && p.BasicPassword != "" {
 			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
@@ -110,6 +115,21 @@ func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
 			}
 		}
 
+		matched := false
+		remoteIPs, _, _ := net.SplitHostPort(r.RemoteAddr)
+		remoteIP := net.ParseIP(remoteIPs)
+	        for _, iprange := range p.IPRange {
+			_, ipNet, _ := net.ParseCIDR(iprange)
+			if ipNet.Contains(remoteIP) {
+				matched = true
+				break
+			}
+		}
+		if (len(p.IPRange) > 0 && !matched) {
+			http.Error(w, "Not authorized", 401)
+			return
+		}
+
 		h.ServeHTTP(w, r)
 	})
 }
@@ -146,7 +166,7 @@ func (p *PrometheusClient) Start() error {
 	}
 
 	mux := http.NewServeMux()
-	mux.Handle(p.Path, p.basicAuth(promhttp.HandlerFor(
+	mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
 		registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
 
 	p.server = &http.Server{