Prometheus: Add authentication to Prometheus Node Exporter

This documentation is part of the Retrieving metrics from Linux guide. You can view the complete guide here: How to retrieve Linux server metrics in Prometheus using Node Exporter.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Prometheus cloud solution that provides a host of benefits, including:

  • Alert Manager included to send alerts to Slack, Mattermost, PagerDuty, etc.
  • Dedicated email server to send unlimited email alerts.
  • Blackbox to probe HTTP, ICMP, TCP, and more.
  • Easy configuration with online configuration file editor.
  • Effortless updates with just a click.
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Prometheus cloud hosting solution!

By default, Node Exporter does not perform authentication, meaning anyone can retrieve the exposed metrics. To secure access, you can add basic authentication for a user.

Generate a password using the following commands:

password=`openssl rand -base64 32`
passwordHashed=`echo ${password} | htpasswd -inBC 10 "" | tr -d ':'`
echo "Clear password to keep for Prometheus server: ${password}"

If you do not have the htpasswd binary, you can install it on Debian/Ubuntu using apt-get install --no-install-recommends apache2-utils.

Keep the clear password secure as you will need it when configuring Prometheus.

Append the following lines to the configuration file to add a user called "prometheus" with the generated password hash:

sudo cat << EOF >> /etc/prometheus_node_exporter/configuration.yml
basic_auth_users:
  prometheus: ${passwordHashed}

EOF

# Restart Node Exporter
sudo systemctl restart node_exporter

Finally, verify that authentication is working correctly:

  • Running curl http://localhost:9100/metrics should return "Unauthorized".
  • Running curl -u prometheus:${password} http://localhost:9100/metrics should return the list of metrics.