Block external access to prometheus admin API

[chef.git] / cookbooks / prometheus / templates / default / apache.erb

diff --git a/cookbooks/prometheus/templates/default/apache.erb b/cookbooks/prometheus/templates/default/apache.erb
index 00760ed436659ccba6466d2d0a53ab1b7ee1ef20..e6290caedeb789ee7296eb2face75c1b4c0e6533 100644 (file)
--- a/cookbooks/prometheus/templates/default/apache.erb
+++ b/cookbooks/prometheus/templates/default/apache.erb
@@ -23,9 +23,24 @@
        SSLCertificateFile /etc/ssl/certs/prometheus.openstreetmap.org.pem
        SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key
 
+       Redirect 403 /prometheus/api/v1/admin
        ProxyPass /prometheus http://localhost:9090/prometheus
        Redirect 403 /alertmanager/api
        ProxyPass /alertmanager http://localhost:9093/alertmanager
+       ProxyPass /karma http://localhost:8081/karma
+       ProxyPass /api/live/ws ws://localhost:3000/api/live/ws
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on
+
+       <Location /alertmanager>
+<% @admin_hosts.each do |host| -%>
+               Require ip <%= host %>
+<% end -%>
+       </Location>
+
+       <Location /karma>
+<% @admin_hosts.each do |host| -%>
+               Require ip <%= host %>
+<% end -%>
+       </Location>
 </VirtualHost>