Abusing Prometheus for some cheap analytics (but don't actually do this for anything important)

Hello again,

I just wanted to say thanks for investing in the ability to export Prometheus metrics!

Currently I use the Netlify free tier but I pay $9/month for analytics. I’m happy to pay for my software to be clear but it always bugged me a little that the infrastructure was free given that should be the more costly thing.

Anyway, it got me thinking and by wiring up prometheus-nginxlog-exporter inside of my nginx based static site deploy, I think I’ve just given myself some free analytics without having to rely on a third party that I had no real insight into (or ability to poke at the data!).

Interestingly, there also seems to be some rogue user agents polling for potentially exploitable (if they exist) directories which is nothing new on the web but surprising given I haven’t published the URL anywhere.

My initial thought was that something is polling Github but the url isn’t exposed in my source code so that doesn’t seem like it would make much sense.

To be clear, I don’t think it’s anything to do with fly and not publishing a publically access url isn’t the same thing as said url being private of course. I’ll let you know if I can figure out what’s going on but otherwise, it says more about the usefulness of the metrics exporter :stuck_out_tongue:

Anyway, I think I still need to set a LOCALE or something in my build container because a couple of bits of text end up garbled ie " · Around 2 minutes" becomes “· Around 2 minutes”. I guess that’s what I get for using alpine images anyway is often some unexpected weirdness. The classic missing UTF-8 charset metatag/header bah

It’s worth noting for anyone else reading that you SHOULDNT do this for any large sites given that the number of potential pages will generate an exponentially large amount of labels and as such, will likely translate into an excessive amount of load for Prometheus. Realistically, using a proper logging provider here is the way to go here and would be much more reflective than some

Thanks!

By the way, I didn’t see any particular Prometheus metrics that include request uris from the default Fly metrics but if any do exist that I overlooked (or are planned) then I’d love to know so I can deprecate all this extra stuff :slight_smile:

I love projects using our metrics!

IPs we own and lend our users are known and, unfortunately, scanned by bots. Usually there’s no bad side effect, but it would be nice to offer some basic blocking strategy for those.

This is why we don’t do it, essentially. A “lower cardinality” way would be to label “routes” and expose that through your app. There is potential for a lot more features in our metrics offering, like being able to dynamically add labels to default metrics (maybe). It’s possible people will hit our limits (currently vague and not really enforced) though and stop getting metrics altogether.

1 Like