nftables-exporter icon indicating copy to clipboard operation
nftables-exporter copied to clipboard
verified publisher icon metal-stack

Feature Request: HTTP Basic Auth (and TLS)

Open MPStudyly opened this issue 10 months ago • 7 comments

Hi,

first of all, this exporter seems to be great and provide all features I was looking for! I'm looking forward to test it on our network infrastructure throughout the next days. There is just one minor question I was unable to verify myself: Does this exporter allow the configuration of HTTP Basic Auth and subsequently TLS to provide transport security for transmitted credentials? As the config docs mention nothing in this regard, I skimmed through the code and found nothing indicating support.

If there is indeed no support, this is not a deal breaker, but inconvenient at last. Lacking the necessary Go skills, I could only leave a request for these features to be added. 😅

In the meantime I'll proceed by hiding the endpoint behind a reverse proxy on the same host.

Best regards

MPStudyly avatar Feb 12 '25 16:02 MPStudyly

Authentication and encryption It is usually done at a upper layer for the metrics endpoint.

majst01 avatar Feb 12 '25 16:02 majst01

Authentication and encryption It is usually done at a upper layer for the metrics endpoint.

So you mean it is common to approach this via reverse proxy anyway? I can't tell for sure about TLS, but I've already seen (and used) exporters implementing Basic Auth natively.

MPStudyly avatar Feb 13 '25 09:02 MPStudyly

Authentication and encryption It is usually done at a upper layer for the metrics endpoint.

So you mean it is common to approach this via reverse proxy anyway? I can't tell for sure about TLS, but I've already seen (and used) exporters implementing Basic Auth natively.

Implementing basic auth without also taking care of TLS is close to useless, because then the auth credentials are passed in cleartext. I recommend doing this type of work on a central place.

majst01 avatar Feb 13 '25 09:02 majst01

Authentication and encryption It is usually done at a upper layer for the metrics endpoint.

So you mean it is common to approach this via reverse proxy anyway? I can't tell for sure about TLS, but I've already seen (and used) exporters implementing Basic Auth natively.

Implementing basic auth without also taking care of TLS is close to useless, because then the auth credentials are passed in cleartext.

That's why I referred to both in the overall request. But while cleartext auth is useless, having auth handled by the exporter itself and encryption being handled by a reverse proxy is a completely acceptable, I'd say even common setup. Thus it could be an idea to provide just auth with a clear hint that this alone will be useless.

MPStudyly avatar Feb 13 '25 10:02 MPStudyly

If you insist, feel free to raise a PR, i am happy to review.

majst01 avatar Feb 13 '25 10:02 majst01

If you insist, feel free to raise a PR, i am happy to review.

I'll have a look as soon as this gets too pressing for us. Might be around the end of year though.

Shall we close the issue in the meantime or do you want to keep it around, so people can like if they wish for the same?

MPStudyly avatar Feb 17 '25 16:02 MPStudyly

We can keep this issue for reference

majst01 avatar Feb 18 '25 06:02 majst01