From 0945b464f7c368f8ce2b5db01e5ef9cd8ab58176 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 19 Oct 2023 20:47:09 +0100
Subject: [PATCH] Block external access to prometheus admin API

---
 cookbooks/prometheus/templates/default/apache.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cookbooks/prometheus/templates/default/apache.erb b/cookbooks/prometheus/templates/default/apache.erb
index 1dead4474..e6290caed 100644
--- a/cookbooks/prometheus/templates/default/apache.erb
+++ b/cookbooks/prometheus/templates/default/apache.erb
@@ -23,6 +23,7 @@
 	SSLCertificateFile /etc/ssl/certs/prometheus.openstreetmap.org.pem
 	SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key
 
+	Redirect 403 /prometheus/api/v1/admin
 	ProxyPass /prometheus http://localhost:9090/prometheus
 	Redirect 403 /alertmanager/api
 	ProxyPass /alertmanager http://localhost:9093/alertmanager
-- 
2.45.2