Simon Pasquier

:wave: Filip! It makes sense to me that you can setup prom-label-proxy with a static label value. Something like? ``` ./prom-label-proxy -label mytenant -label-value tenantX ... ```

:wave: @amine250 I'm not sure what you're trying to accomplish exactly. The purpose of prom-label-proxy is to enforce dynamically label matchers in PromQL queries, the label key is configured statically...

@amine250 can you check #82? does it match your request about being able to deploy prom-label-proxy with a fixed label key/value to be enforced?

> For my particular use case, I would like to reject HTTP requests that contain PromQL queries, which don't have the enforced_label inside the PromQL query. Ok I get it...

Thanks for the reply, really helpful! I think it's quite a departure from the original prom-label-proxy goals but eager to hear the opinion from other @prometheus-community/prom-label-proxy maintainers.

I'm not sure that we ever discussed this feature to be honest. I think it would be fine to have though it only applies to Thanos and not Prometheus.

I would assume that `/static/*` endpoints are "safe" but the rest is more problematic IMHO. IIRC we decided on exact paths to avoid users shooting themselves in the foot but...

it was discussed in https://github.com/prometheus-community/prom-label-proxy/pull/48#issuecomment-716552994 but dismissed as being insecure (at least as long the legacy UI exists since the targets and configuration pages may expose sensitive informatoin).

this is working fine with the latest prom-label-proxy for me. Can you try to upgrade?

Regex matchers _should_ be safe if we escape values with [`regex.QuoteMeta`](https://golang.org/pkg/regexp/#QuoteMeta) though?