From 9a46c85735701780dc8f0717a4e6cab4969420fc Mon Sep 17 00:00:00 2001 From: Danny Groenewegen Date: Sat, 21 Mar 2026 15:44:35 +0000 Subject: [PATCH] fix: Change metrics endpoint to use https instead of http 8082 to prevent sending BASIC_AUTH in plaintext. (#95) * [x] I have deployed and tested my changes * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) * [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) This fixes #94 . The monitoring-ng recipe uses this metrics endpoint and is updated to use the secure endpoint with coop-cloud/monitoring-ng#17 Reviewed-on: https://git.coopcloud.tech/coop-cloud/traefik/pulls/95 Reviewed-by: p4u1 Reviewed-by: decentral1se Co-authored-by: Danny Groenewegen Co-committed-by: Danny Groenewegen --- .env.sample | 2 ++ compose.metrics.yml | 4 ---- file-provider.yml.tmpl | 12 ++++++++++++ release/next | 1 + traefik.yml.tmpl | 10 ++-------- 5 files changed, 17 insertions(+), 12 deletions(-) create mode 100644 release/next diff --git a/.env.sample b/.env.sample index e4398f3..0ac5747 100644 --- a/.env.sample +++ b/.env.sample @@ -122,8 +122,10 @@ COMPOSE_FILE="compose.yml" ## Enable prometheus metrics collection ## used used by the coop-cloud monitoring stack +## BASIC_AUTH should also be enabled #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml" #METRICS_ENABLED=1 +#METRICS_FQDN=metrics.traefik.example.com ##################################################################### # File provider directory configuration # diff --git a/compose.metrics.yml b/compose.metrics.yml index 864334e..f014fe8 100644 --- a/compose.metrics.yml +++ b/compose.metrics.yml @@ -3,7 +3,3 @@ services: app: environment: - METRICS_ENABLED - ports: - - target: 8082 - published: 8082 - mode: host diff --git a/file-provider.yml.tmpl b/file-provider.yml.tmpl index 9eca305..6bab128 100644 --- a/file-provider.yml.tmpl +++ b/file-provider.yml.tmpl @@ -30,6 +30,18 @@ http: stsIncludeSubdomains: true stsPreload: true stsSeconds: "31536000" + {{ if eq (env "METRICS_ENABLED") "1" }} + routers: + traefik-metrics: + rule: "Host(`{{ env "METRICS_FQDN" }}`)" + entrypoints: + - web-secure + tls: + certResolver: {{ env "LETS_ENCRYPT_ENV" }} + middlewares: + - basicauth@file + service: prometheus@internal + {{ end }} tls: options: diff --git a/release/next b/release/next new file mode 100644 index 0000000..889fe4c --- /dev/null +++ b/release/next @@ -0,0 +1 @@ +* The metrics endpoint changed from http on port 8082 to the web-secure endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is enabled you need to configure a FQDN for it by setting METRICS_FQDN in your .env. You should also update the scrape config files in prometheus for Traefik metrics from port 8082 to the new FQDN. \ No newline at end of file diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index e01b621..d51f7f8 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -94,13 +94,6 @@ entrypoints: irc: address: ":6697" {{- end }} - {{- if eq (env "METRICS_ENABLED") "1" }} - metrics: - address: ":8082" - http: - middlewares: - - basicauth@file - {{- end }} {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }} matrix-federation: address: ":9001" @@ -122,7 +115,8 @@ ping: {{- if eq (env "METRICS_ENABLED") "1" }} metrics: prometheus: - entryPoint: metrics + entryPoint: web-secure + manualRouting: true addRoutersLabels: true addServicesLabels: true {{- end }}