[docs] Explain how to secure metrics endpoints (#2382)

This commit is contained in:
Daenney 2023-11-26 15:53:53 +01:00 committed by GitHub
parent 2b9cf56f56
commit c334df8f43
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 16 deletions

View file

@ -1,28 +1,35 @@
# Metrics # Metrics
GoToSocial comes with [OpenTelemetry][otel] based metrics built-in with pull-style Prometheus exporter. Currently the following metrics are collected: GoToSocial comes with [OpenTelemetry][otel] based metrics. The metrics are exposed using the [Prometheus exposition format][prom] on the `/metrics` path. The configuration settings are documented in the [Observability configuration reference][obs].
Currently the following metrics are collected:
* Go performance and runtime metrics * Go performance and runtime metrics
* Gin (HTTP) metrics * Gin (HTTP) metrics
* Bun (database) metrics * Bun (database) metrics
How to configure metrics is explained in the [Observability configuration reference][obs]. Metrics can be enable with the following configuration:
For a quickstart, add the following to your GoToSocial configuration and restart your instance:
```yaml ```yaml
metrics-enabled: true metrics-enabled: true
```
Though metrics do not contain anything privacy sensitive, you may not want to allow just anyone to view and scrape operational metrics of your instance.
## Enabling basic authentication
You can enable basic authentication for the metrics endpoint. On the GoToSocial, side you'll need the following configuration:
```yaml
metrics-auth-enabled: true metrics-auth-enabled: true
metrics-auth-username: some_username metrics-auth-username: some_username
metrics-auth-password: some_password metrics-auth-password: some_password
``` ```
This will expose the metrics under the endpoint `/metrics`, protected with HTTP Basic Authentication. You can scrape that endpoint with a Prometheus instance using the following configuration in your `scrape_configs`:
A following is an example how to configure a job for collecting the metrics in Prometheus `scrape_configs`:
```yaml ```yaml
- job_name: gotosocial - job_name: gotosocial
metrics_path: /metrics metrics_path: /metrics
scheme: https scheme: https
basic_auth: basic_auth:
@ -33,5 +40,18 @@ A following is an example how to configure a job for collecting the metrics in P
- example.org - example.org
``` ```
## Blocking external scraping
When running with a reverse proxy you can use it to block external access to metrics. You can use this approach if your Prometheus scraper runs on the same machine as your GoToSocial instance and can thus access it internally.
For example with nginx, block the `/metrics` endpoint by returning a 404:
```nginx
location /metrics {
return 404;
}
```
[otel]: https://opentelemetry.io/ [otel]: https://opentelemetry.io/
[prom]: https://prometheus.io/docs/instrumenting/exposition_formats/
[obs]: ../configuration/observability.md [obs]: ../configuration/observability.md

View file

@ -2,6 +2,10 @@
These settings let you tune and configure certain observability related behaviours. These settings let you tune and configure certain observability related behaviours.
## Metrics
Before enabling metrics, [read the guide](../advanced/metrics.md) and ensure you've taken the appropriate security measures for your setup.
## Settings ## Settings
```yaml ```yaml