fix: Change metrics endpoint to use https instead of http 8082 to prevent sending BASIC_AUTH in plaintext. (#95)

* [x] I have deployed and tested my changes * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) * [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) This fixes #94 . The monitoring-ng recipe uses this metrics endpoint and is updated to use the secure endpoint with coop-cloud/monitoring-ng#17 Reviewed-on: coop-cloud/traefik#95 Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Co-authored-by: Danny Groenewegen <mail@dannygroenewegen.nl> Co-committed-by: Danny Groenewegen <mail@dannygroenewegen.nl>
2026-03-21 15:44:35 +00:00
parent 08669fcd60
commit 9a46c85735
5 changed files with 17 additions and 12 deletions
--- a/.env.sample
+++ b/.env.sample
@ -122,8 +122,10 @@ COMPOSE_FILE="compose.yml"

 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+## BASIC_AUTH should also be enabled
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
+#METRICS_FQDN=metrics.traefik.example.com

 #####################################################################
 # File provider directory configuration                             #
--- a/compose.metrics.yml
+++ b/compose.metrics.yml
@ -3,7 +3,3 @@ services:
  app:
    environment:
      - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -30,6 +30,18 @@ http:
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: "31536000"
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  routers:
+    traefik-metrics:
+      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
+      entrypoints:
+        - web-secure
+      tls:
+        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
+      middlewares:
+        - basicauth@file
+      service: prometheus@internal
+  {{ end }}

 tls:
  options:
--- a/release/next
+++ b/release/next
@ -0,0 +1 @@
+* The metrics endpoint changed from http on port 8082 to the web-secure endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is enabled you need to configure a FQDN for it by setting METRICS_FQDN in your .env. You should also update the scrape config files in prometheus for Traefik metrics from port 8082 to the new FQDN.
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -94,13 +94,6 @@ entrypoints:
  irc:
    address: ":6697"
  {{- end }}
-  {{- if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{- end }}
  {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
  matrix-federation:
    address: ":9001"
@ -122,7 +115,8 @@ ping:
 {{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
  prometheus:
-    entryPoint: metrics
+    entryPoint: web-secure
+    manualRouting: true
    addRoutersLabels: true
    addServicesLabels: true
 {{- end }}
				`@ -0,0 +1 @@`
				`* The metrics endpoint changed from http on port 8082 to the web-secure endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is enabled you need to configure a FQDN for it by setting METRICS_FQDN in your .env. You should also update the scrape config files in prometheus for Traefik metrics from port 8082 to the new FQDN.`