More information when setting Prometheus endpoint (neo4j#587) (neo4j#611) (neo4j#614)

lidiazuin · web-flow · commit adb6360ea704 · 2023-03-23T14:28:24.000+01:00
Cherry-picked from neo4j#587
diff --git a/modules/ROOT/pages/monitoring/metrics/expose.adoc b/modules/ROOT/pages/monitoring/metrics/expose.adoc
@@ -81,8 +81,17 @@ metrics.prometheus.enabled=true
 metrics.prometheus.endpoint=localhost:2004
 ----
 
-When Neo4j is fully started a Prometheus endpoint will be available at the configured address.
+When Neo4j is fully started, a Prometheus endpoint will be available at the configured address.
 
+[WARNING]
+====
+You should never expose the Prometheus endpoint directly to the Internet. 
+If security is of paramount importance, you should set `metrics.prometheus.endpoint=localhost:2004` and configure a reverse HTTP proxy on the same machine that handles the authentication, SSL, caching, etc. 
+====
+If you can afford to send unencrypted metrics within the internal network, such as `metrics.prometheus.endpoint=10.0.0.123:2004`, all servers within the same netmask will be able to access it.
+
+If you specify anything more permissible, such as `metrics.prometheus.endpoint=0.0.0.0:2004`, you should have a firewall rule to prevent any unauthorized access. 
+Data in transit will still not be encrypted, so it should never go other any insecure networks.
 
 [[metrics-csv]]
 == CSV files
@@ -119,4 +128,4 @@ In order to enable metrics exposure via JMX, add the following setting to xref:c
 metrics.jmx.enabled=true
 ----
 
-For more information about accessing and adjusting the metrics, see link:{neo4j-docs-base-uri}/java-reference/{page-version}/jmx-metrics/[The Java Reference Guide -> JMX metrics].
+For more information about accessing and adjusting the metrics, see link:{neo4j-docs-base-uri}/java-reference/{page-version}/jmx-metrics/[The Java Reference Guide -> JMX metrics].
diff --git a/modules/ROOT/partials/neo4j-config/all-settings.adoc b/modules/ROOT/partials/neo4j-config/all-settings.adoc
@@ -4465,7 +4465,7 @@ m|false
 |Description
 a|The hostname and port to use as Prometheus endpoint.
 |Valid values
-a|metrics.prometheus.endpoint, a socket address. If missing port or hostname it is acquired from dbms.default_listen_address
+a|metrics.prometheus.endpoint, a socket address in the format `hostname:port`, `hostname`, or `:port`. If missing, port and hostname are acquired from `dbms.default_listen_address`.
 |Default value
 m|localhost:2004
 |===
