How to secure Prometheus Docker Endpoint after enabling through metrics-addr in daemon.json

[Experiment – NOT Tested]

If you need to access the Docker daemon remotely, you need to enable the tcp Socket. Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon – and should be secured either

  1. Using the built in HTTPS encrypted socket, or
  2. By putting a secure web proxy in front of it.

If you need to access the Docker daemon remotely, you need to enable the tcp Socket. Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon – and should be secured either using the built in HTTPS encrypted socket, or by putting a secure web proxy in front of it.

Note: If you’re using an HTTPS encrypted socket, keep in mind that only TLS1.0 and greater are supported. Protocols SSLv3 and under are not supported anymore for security reasons.

Method 1 – Protect or Secure the Docker daemon socket
https://docs.docker.com/engine/security/https/
https://docs.docker.com/config/daemon/
https://docs.docker.com/engine/security/https/
https://gist.github.com/kekru/b9e4da822514df93e6fdf2f7d3d90d8a

Method 2 – secure web proxy
One option to help secure our Prometheus server is to put it behind a reverse proxy so that we can later add SSL and an Authentication layer over the default unrestricted Prometheus web interface.

Example of daemon.json

{
  "metrics-addr" : "127.0.0.1:9323",
  "experimental" : true
}

We will use Nginx.

$ sudo apt install nginx
# CD to the Nginx sites-enabled folder
cd /etc/nginx/sites-enabled
# Create a new Nginx configuration from Prometheus
$ sudo nano prometheus
And copy/paste the example below
server {
    listen       443;   

    location / {
        proxy_pass           http://localhost:9323/;
    }
}
# Save and restart Nginx
$ sudo service nginx restart
$ sudo service nginx status
Rajesh Kumar