From e36aaf69a8693a26faaa449fc999a66ec1e04fdc Mon Sep 17 00:00:00 2001
From: Danny Groenewegen <mail@dannygroenewegen.nl>
Date: Fri, 20 Mar 2026 20:15:17 +0100
Subject: [PATCH] Change metrics endpoint to use https instead of http 8082 to
 prevent sending BASIC_AUTH in plaintext.

---
 .env.sample            |  2 ++
 compose.metrics.yml    |  4 ----
 file-provider.yml.tmpl | 12 ++++++++++++
 release/next           |  1 +
 traefik.yml.tmpl       | 10 ++--------
 5 files changed, 17 insertions(+), 12 deletions(-)
 create mode 100644 release/next

diff --git a/.env.sample b/.env.sample
index e4398f3..0ac5747 100644
--- a/.env.sample
+++ b/.env.sample
@@ -122,8 +122,10 @@ COMPOSE_FILE="compose.yml"
 
 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+## BASIC_AUTH should also be enabled
 #COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1
+#METRICS_FQDN=metrics.traefik.example.com
 
 #####################################################################
 # File provider directory configuration                             #
diff --git a/compose.metrics.yml b/compose.metrics.yml
index 864334e..f014fe8 100644
--- a/compose.metrics.yml
+++ b/compose.metrics.yml
@@ -3,7 +3,3 @@ services:
   app:
     environment:
       - METRICS_ENABLED
-    ports:
-      - target: 8082
-        published: 8082
-        mode: host
diff --git a/file-provider.yml.tmpl b/file-provider.yml.tmpl
index 9eca305..6bab128 100644
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@@ -30,6 +30,18 @@ http:
         stsIncludeSubdomains: true
         stsPreload: true
         stsSeconds: "31536000"
+  {{ if eq (env "METRICS_ENABLED") "1" }}
+  routers:
+    traefik-metrics:
+      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
+      entrypoints:
+        - web-secure
+      tls:
+        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
+      middlewares:
+        - basicauth@file
+      service: prometheus@internal
+  {{ end }}
 
 tls:
   options:
diff --git a/release/next b/release/next
new file mode 100644
index 0000000..889fe4c
--- /dev/null
+++ b/release/next
@@ -0,0 +1 @@
+* The metrics endpoint changed from http on port 8082 to the web-secure endpoint to prevent sending BASIC_AUTH credentials plaintext. If metrics is enabled you need to configure a FQDN for it by setting METRICS_FQDN in your .env. You should also update the scrape config files in prometheus for Traefik metrics from port 8082 to the new FQDN.
\ No newline at end of file
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index e01b621..d51f7f8 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -94,13 +94,6 @@ entrypoints:
   irc:
     address: ":6697"
   {{- end }}
-  {{- if eq (env "METRICS_ENABLED") "1" }}
-  metrics:
-    address: ":8082"
-    http:
-      middlewares:
-        - basicauth@file
-  {{- end }}
   {{- if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
   matrix-federation:
     address: ":9001"
@@ -122,7 +115,8 @@ ping:
 {{- if eq (env "METRICS_ENABLED") "1" }}
 metrics:
   prometheus:
-    entryPoint: metrics
+    entryPoint: web-secure
+    manualRouting: true
     addRoutersLabels: true
     addServicesLabels: true
 {{- end }}
-- 
2.49.0