Add ip restriction for the prometheus_client output #4431
Conversation
dupondje
force-pushed
the
prometheus_client_ip_restriction
branch
from
dcc7d1c to
c3a2feb
Compare
|
@dupondje The code here is very good, but I feel like this addition won't be in very wide demand, and I don't want to support too many connection limitations as they are endless. Why not just set this up in your system firewall instead? |
|
@danielnelson: You could be correct that this isn't very wide demanded. But this can be used in cases where firewalling isn't possible for example. Or when you want to have some additional protection mechanism. Also I don't think there are endless ways to limit connections (that are supported by Prometheus itself). Next to that, I think the patch is rather straightforward and small. So it doesn't add a lot of complexity to the code :) Anyway, your call if you merge it or not! |
| remoteIPs, _, _ := net.SplitHostPort(r.RemoteAddr) | ||
| remoteIP := net.ParseIP(remoteIPs) | ||
| for _, iprange := range p.IPRange { | ||
| _, ipNet, _ := net.ParseCIDR(iprange) |
There was a problem hiding this comment.
Handle the error so the next line doesn't panic if user passes bad configuration
Sometimes you want to protect the exported /metrics path from the prometheus_client. It was already possible to secure it with a password. This patch adds the option to allow only defined CIDR ranges to access the /metrics.
dupondje
force-pushed
the
prometheus_client_ip_restriction
branch
from
c3a2feb to
5ee3ec5
Compare
|
Adjusted the code like requested. |
Sometimes you want to protect the exported /metrics path from the prometheus_client.
It was already possible to secure it with a password.
This patch adds the option to allow only defined CIDR ranges to access the /metrics.