node_exporter/https/README.md

# HTTPS Package for Prometheus

The `https` directory contains a Go package and a sample configuration file for
running `node_exporter` with HTTPS instead of HTTP. We currently support TLS 1.3
and TLS 1.2.

To run a server with TLS, use the flag `--web.config`.

e.g. `./node_exporter --web.config="web-config.yml"`
If the config is kept within the https directory.

The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.

## Sample Config

```
tls_server_config:
  # Certificate and key files for server to use to authenticate to client.
  cert_file: <filename>
  key_file: <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies.
  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server.
  [ client_ca_file: <filename> ]

  # Minimum TLS version that is acceptable.
  [ min_version: <string> | default = "TLS12" ]

  # Maximum TLS version that is acceptable.
  [ max_version: <string> | default = "TLS13" ]

  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
  [ cipher_suites:
    [ - <string> ] ]

  # prefer_server_cipher_suites controls whether the server selects the
  # client's most preferred ciphersuite, or the server's most preferred
  # ciphersuite. If true then the server's preference, as expressed in
  # the order of elements in cipher_suites, is used.
  [ prefer_server_cipher_suites: <bool> | default = true ]

  # Elliptic curves that will be used in an ECDHE handshake, in preference
  # order. Available curves are documented in the go documentation:
  # https://golang.org/pkg/crypto/tls/#CurveID
  [ curve_preferences:
    [ - <string> ] ]

http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
  [ http2: <bool> | default = true ]

# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
basic_auth_users:
  [ <string>: <secret> ... ]
```

## About bcrypt

There are several tools out there to generate bcrypt passwords, e.g.
[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):

`htpasswd -nBC 10 "" | tr -d ':\n'`

That command will prompt you for a password and output the hashed password,
which will look something like:
`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`

The cost (10 in the example) influences the time it takes for computing the
hash. A higher cost will en up slowing down the authentication process.
Depending on the machine, a cost of 10 will take about ~70ms where a cost of
18 can take up to a few seconds. That hash will be computed on every
password-protected request.
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00			`# HTTPS Package for Prometheus`

Add tls versions Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-04-27 17:19:09 +00:00			The `https` directory contains a Go package and a sample configuration file for
			running `node_exporter` with HTTPS instead of HTTP. We currently support TLS 1.3
			`and TLS 1.2.`

			To run a server with TLS, use the flag `--web.config`.
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00
			e.g. `./node_exporter --web.config="web-config.yml"`
			`If the config is kept within the https directory.`

			`The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.`

Fix typo in README.md Signed-off-by: J0WI <J0WI@users.noreply.github.com> 2020-02-20 22:41:14 +00:00			`## Sample Config`
Make TLS config consistent with Prometheus (#1685) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-04-25 11:42:45 +00:00
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00			```
tls: enable the selection of more TLS settings (#1695) tls: enable the selection of more TLS settings * Rename `tls_config` to `tls_server_config`. * Add new http server config with HTTP/2 enabled by default. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-13 18:26:01 +00:00			`tls_server_config:`
			`# Certificate and key files for server to use to authenticate to client.`
Make TLS config consistent with Prometheus (#1685) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-04-25 11:42:45 +00:00			`cert_file: <filename>`
			`key_file: <filename>`
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00
tls: enable the selection of more TLS settings (#1695) tls: enable the selection of more TLS settings * Rename `tls_config` to `tls_server_config`. * Add new http server config with HTTP/2 enabled by default. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-13 18:26:01 +00:00			`# Server policy for client authentication. Maps to ClientAuth Policies.`
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00			`# For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)`
Make TLS config consistent with Prometheus (#1685) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-04-25 11:42:45 +00:00			`[ client_auth_type: <string> \| default = "NoClientCert" ]`
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00
tls: enable the selection of more TLS settings (#1695) tls: enable the selection of more TLS settings * Rename `tls_config` to `tls_server_config`. * Add new http server config with HTTP/2 enabled by default. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-13 18:26:01 +00:00			`# CA certificate for client certificate authentication to the server.`
Make TLS config consistent with Prometheus (#1685) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-04-25 11:42:45 +00:00			`[ client_ca_file: <filename> ]`
Add basic authentication (#1683) * Add basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-01 12:26:51 +00:00
tls: enable the selection of more TLS settings (#1695) tls: enable the selection of more TLS settings * Rename `tls_config` to `tls_server_config`. * Add new http server config with HTTP/2 enabled by default. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-13 18:26:01 +00:00			`# Minimum TLS version that is acceptable.`
			`[ min_version: <string> \| default = "TLS12" ]`

			`# Maximum TLS version that is acceptable.`
			`[ max_version: <string> \| default = "TLS13" ]`

			`# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,`
			`# Go default cipher suites are used. Available cipher suites are documented`
			`# in the go documentation:`
			`# https://golang.org/pkg/crypto/tls/#pkg-constants`
			`[ cipher_suites:`
			`[ - <string> ] ]`

			`# prefer_server_cipher_suites controls whether the server selects the`
			`# client's most preferred ciphersuite, or the server's most preferred`
			`# ciphersuite. If true then the server's preference, as expressed in`
			`# the order of elements in cipher_suites, is used.`
			`[ prefer_server_cipher_suites: <bool> \| default = true ]`

			`# Elliptic curves that will be used in an ECDHE handshake, in preference`
			`# order. Available curves are documented in the go documentation:`
			`# https://golang.org/pkg/crypto/tls/#CurveID`
			`[ curve_preferences:`
			`[ - <string> ] ]`

			`http_server_config:`
			`# Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.`
			`# This can not be changed on the fly.`
			`[ http2: <bool> \| default = true ]`

Use our standard config doc format. Signed-off-by: Brian Brazil <brian.brazil@robustperception.io> 2020-05-29 14:56:18 +00:00			`# Usernames and hashed passwords that have full access to the web`
Add basic authentication (#1683) * Add basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-01 12:26:51 +00:00			`# server via basic authentication. If empty, no basic authentication is`
			`# required. Passwords are hashed with bcrypt.`
			`basic_auth_users:`
Use our standard config doc format. Signed-off-by: Brian Brazil <brian.brazil@robustperception.io> 2020-05-29 14:56:18 +00:00			`[ <string>: <secret> ... ]`
Adding TLS to node exporter - cleaner version (#1277) Add support for https connections. Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com> Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com> Signed-off-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Ben RIdley <benridley29@gmail.com> 2019-11-15 23:12:57 +00:00			```
Add basic authentication (#1683) * Add basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-01 12:26:51 +00:00
			`## About bcrypt`

			`There are several tools out there to generate bcrypt passwords, e.g.`
			`[htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html):`

https: Fix htpasswd command Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-18 10:19:31 +00:00			`htpasswd -nBC 10 "" \| tr -d ':\n'`
Add basic authentication (#1683) * Add basic authentication Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2020-05-01 12:26:51 +00:00
			`That command will prompt you for a password and output the hashed password,`
			`which will look something like:`
			`$2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG`

			`The cost (10 in the example) influences the time it takes for computing the`
			`hash. A higher cost will en up slowing down the authentication process.`
			`Depending on the machine, a cost of 10 will take about ~70ms where a cost of`
			`18 can take up to a few seconds. That hash will be computed on every`
			`password-protected request.`