Protecting metrics and health endpoints

rugwiro · May 13, 2021, 5:12pm

I’m looking and the http health check and metrics section of fly.toml and asking myself what options do I have to protect them for a service that is exposed to the internet?

The first option would be to expose them on a different port that is only available on the private network and I think it would work without waiting on you to do an upgrade.
The other option would be to specify some authentication method inside the app’s fly.toml file.

In your opinion which one brings with it less complexity?

jerome · May 13, 2021, 5:17pm

Less complexity for us would be for you to expose metrics on a different port. That’s pretty common.

We do want to allow Basic Auth or something like that, but it might not be coming for a little while.

kurt · May 13, 2021, 6:29pm

You can specify HTTP headers in the health check config and use them to authenticate (I tend to set a host header of healthcheck.local).

Your app can also ignore healthcheck/metrics requests with a fly-client-ip header. The health check and metrics requests won’t include those, or any of the headers our HTTP handler adds.

Topic		Replies	Views
Authenticated requests for health_checks and Prometheus Metric Scraping? Questions / Help metrics	7	1209	November 29, 2022
Hiding metrics from the public internet with Cloudflare help-me-help-you	1	437	November 9, 2023
Only expose /metrics for Fly internal scraper Questions / Help metrics , elixir	3	458	September 22, 2024
Is there a way to disable health checks?	10	2694	February 11, 2023
Hide metrics endpoint metrics , proxy	4	52	September 30, 2024

Protecting metrics and health endpoints

Related topics