Node Exporter mit TLS und Basic Auth
Create a self-signed cert for node-exporter:
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout node_exporter.key -out node_exporter.crt -subj “/C=ZA/ST=CT/L=SA/O=VPN/CN=localhost” -addext “subjectAltName = DNS:localhost” Move the certs into the directory we created:
$ mv node_exporter.* /etc/node-exporter/ Install htpasswd so that we can generate a password hash with bcrypt, which will prompt you for a password that we are setting for the prometheus user::
$ apt install apache2-utils $ htpasswd -nBC 10 "" | tr -d ‘:\n’; echo Now populate the config for node-exporter:
$ cat /etc/node-exporter/config.yml
tls_server_config:
cert_file: node_exporter.crt
key_file: node_exporter.key
basic_auth_users:
prometheus:
$ chown -R ${NODE_EXPORTER_USER}:${NODE_EXPORTER_USER} /etc/node-exporter Then create the systemd unit file:
$ cat > /etc/systemd/system/node_exporter.service « EOF [Unit] Description=Node Exporter Wants=network-online.target After=network-online.target StartLimitIntervalSec=500 StartLimitBurst=5 [Service] User=${NODE_EXPORTER_USER} Group=${NODE_EXPORTER_USER} Type=simple Restart=on-failure RestartSec=5s ExecStart=${BIN_DIRECTORY}/node_exporter –web.config=/etc/node-exporter/config.yml [Install] WantedBy=multi-user.target EOF Reload systemd and start node-exporter
$ systemctl daemon-reload $ systemctl enable node_exporter $ systemctl restart node_exporter Prometheus Config Copy the /etc/node-exporter/node_exporter.crt from the node-exporter node to prometheus-node, then in the /etc/prometheus/prometheus.yml config:
 scrape_configs:
- job_name: ’node-exporter-tls’
scheme: https
basic_auth:
username: prometheus
password:
tls_config: ca_file: node_exporter.crt insecure_skip_verify: true static_configs: - targets: [’node-exporter-ip:9100’] labels: instance: friendly-instance-name