Basic auth for /metrics endpoint in stats


Based on this article it’s possible to set /metrics to enable prometheus fetch, but it’s not possible to secure it with an auth.

Is there a way to do it ? With stats auth ... the stats page is protected but not /metrics one

Here’s my config for the stats

frontend stats
  mode http
  bind *:9000 ssl crt /usr/local/etc/certs/
  stats enable
  stats auth prometheus:1234
  stats uri /stats
  stats refresh 10s
  stats admin if LOCALHOST
  http-request use-service prometheus-exporter if { path /metrics }

Version: HAProxy version 2.8.3-86e043a, released 2023/09/07

looks like my config for stats page. only thing missing is stats realm

stats realm Haproxy\ Statistics

not sure if this is needed?

It’s needed because I don’t want anybody to access stats page and I would like the same for metrics endpoint

Hey, I figured out how to add authentication to /metrics and ACL to /.

frontend stats
    bind *:8404
    stats enable
    stats uri /
    stats refresh 10s
    http-request auth unless { http_auth(mycredentials) }

   # Add authentication for /metrics
    acl metrics_path path /metrics
    http-request auth realm Metrics if metrics_path { http_auth(mycredentials) }
    http-request use-service prometheus-exporter if { path /metrics }

userlist mycredentials
  user actor   insecure-password actorpassword
1 Like