How to secure Prometheus Docker Endpoint after enabling through metrics-addr in daemon.json

[Experiment – NOT Tested]

If you need to access the Docker daemon remotely, you need to enable the tcp Socket. Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon – and should be secured either

  1. Using the built in HTTPS encrypted socket, or
  2. By putting a secure web proxy in front of it.

If you need to access the Docker daemon remotely, you need to enable the tcp Socket. Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon – and should be secured either using the built in HTTPS encrypted socket, or by putting a secure web proxy in front of it.

Note: If you’re using an HTTPS encrypted socket, keep in mind that only TLS1.0 and greater are supported. Protocols SSLv3 and under are not supported anymore for security reasons.

Method 1 – Protect or Secure the Docker daemon socket
https://docs.docker.com/engine/security/https/
https://docs.docker.com/config/daemon/
https://docs.docker.com/engine/security/https/
https://gist.github.com/kekru/b9e4da822514df93e6fdf2f7d3d90d8a

Method 2 – secure web proxy
One option to help secure our Prometheus server is to put it behind a reverse proxy so that we can later add SSL and an Authentication layer over the default unrestricted Prometheus web interface.

Example of daemon.json

We will use Nginx.

Rajesh Kumar
Total Page Visits: 325 - Today Page Visits: 2