Protecting metrics and health endpoints

I’m looking and the http health check and metrics section of fly.toml and asking myself what options do I have to protect them for a service that is exposed to the internet?

  • The first option would be to expose them on a different port that is only available on the private network and I think it would work without waiting on you to do an upgrade.

  • The other option would be to specify some authentication method inside the app’s fly.toml file.

In your opinion which one brings with it less complexity?

Less complexity for us would be for you to expose metrics on a different port. That’s pretty common.

We do want to allow Basic Auth or something like that, but it might not be coming for a little while.

You can specify HTTP headers in the health check config and use them to authenticate (I tend to set a host header of healthcheck.local).

Your app can also ignore healthcheck/metrics requests with a fly-client-ip header. The health check and metrics requests won’t include those, or any of the headers our HTTP handler adds.