Block public access to raw grafana metrics

[chef.git] / cookbooks / prometheus / templates / default / apache.erb

# DO NOT EDIT - This file is being maintained by Prometheus

<VirtualHost *:80>
        ServerName prometheus.openstreetmap.org
        ServerAlias prometheus.osm.org
        ServerAdmin webmaster@openstreetmap.org

        CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined_extended
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log

        RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
        Redirect permanent / https://prometheus.openstreetmap.org/
</VirtualHost>

<VirtualHost *:443>
        ServerName prometheus.openstreetmap.org
        ServerAdmin webmaster@openstreetmap.org

        CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined_extended
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/prometheus.openstreetmap.org.pem
        SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key

        ProxyPass /prometheus http://localhost:9090/prometheus
        ProxyPass /alertmanager http://localhost:9093/alertmanager
        ProxyPass /karma http://localhost:8081/karma
        ProxyPass /api/live/ws ws://localhost:3000/api/live/ws
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on

        <Location /prometheus/api/v1/admin>
                Require all denied
        </Location>

        <Location /metrics>
                Require all denied
        </Location>

        <Location /alertmanager>
<% @admin_hosts.each do |host| -%>
                Require ip <%= host %>
<% end -%>
        </Location>

        <Location /karma>
<% @admin_hosts.each do |host| -%>
                Require ip <%= host %>
<% end -%>
        </Location>
</VirtualHost>

<VirtualHost *:80>
  ServerName munin.openstreetmap.org
  ServerAlias munin.osm.org
  ServerAdmin webmaster@openstreetmap.org

  CustomLog /var/log/apache2/munin.openstreetmap.org-access.log combined_extended
  ErrorLog /var/log/apache2/munin.openstreetmap.org-error.log

  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
  Redirect permanent / https://prometheus.openstreetmap.org/
</VirtualHost>

<VirtualHost *:443>
  ServerName munin.openstreetmap.org
  ServerAlias munin.osm.org
  ServerAdmin webmaster@openstreetmap.org

  CustomLog /var/log/apache2/munin.openstreetmap.org-access.log combined_extended
  ErrorLog /var/log/apache2/munin.openstreetmap.org-error.log

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/prometheus.openstreetmap.org.pem
  SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key

  Redirect permanent / https://prometheus.openstreetmap.org/
</VirtualHost>