Secure PrometheusExporter scraping with SSL (#350)

Author: n-rodriguez

exe/prometheus_exporter

@@ -71,6 +71,13 @@ def run
     opt.on('--logger-path PATH', String, '(optional) Path to file for logger output. Defaults to STDERR') do |o|
       options[:logger_path] = o
     end
+
+    opt.on('--tls-key-file PATH', String, "(optional) Enable server TLS using a private key PATH") do |o|
+      options[:tls_key_file] = o
+    end
+    opt.on('--tls-cert-file PATH', String, "(optional) Enable server TLS using a certificate PATH") do |o|
+      options[:tls_cert_file] = o
+    end
   end.parse!
 
   logger = Logger.new(options[:logger_path])

lib/prometheus_exporter/client.rb

@@ -61,7 +61,10 @@ def initialize(
       custom_labels: nil,
       logger: Logger.new(STDERR),
       log_level: Logger::WARN,
-      process_queue_once_and_stop: false
+      process_queue_once_and_stop: false,
+      tls_ca_file: nil,
+      tls_cert_file: nil,
+      tls_key_file: nil
     )
       @logger = logger
       @logger.level = log_level
@@ -90,6 +93,12 @@ def initialize(
 
       @custom_labels = custom_labels
       @process_queue_once_and_stop = process_queue_once_and_stop
+
+      @tls_ca_file = tls_ca_file
+      @tls_cert_file = tls_cert_file
+      @tls_key_file = tls_key_file
+
+      @ssl_context = build_ssl_context if use_ssl?
     end
 
     def custom_labels=(custom_labels)
@@ -232,6 +241,12 @@ def ensure_socket!
       if !@socket
         @socket = TCPSocket.new @host, @port, connect_timeout: @connect_timeout
 
+        if use_ssl?
+          @socket = OpenSSL::SSL::SSLSocket.new(@socket, @ssl_context)
+          @socket.sync_close = true
+          @socket.connect
+        end
+
         @socket.write("POST /send-metrics HTTP/1.1\r\n")
         @socket.write("Transfer-Encoding: chunked\r\n")
         @socket.write("Host: #{@host}\r\n")
@@ -249,6 +264,20 @@ def ensure_socket!
       raise
     end
 
+    def use_ssl?
+      @tls_ca_file && @tls_cert_file && @tls_key_file
+    end
+
+    def build_ssl_context
+      require "openssl"
+      ssl_context = OpenSSL::SSL::SSLContext.new()
+      ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@tls_cert_file))
+      ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@tls_key_file))
+      ssl_context.ca_file = @tls_ca_file
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ssl_context
+    end
+
     def wait_for_empty_queue_with_timeout(timeout_seconds)
       start_time = ::Process.clock_gettime(::Process::CLOCK_MONOTONIC)
       while @queue.length > 0

lib/prometheus_exporter/server/runner.rb

@@ -59,6 +59,8 @@ def start
           verbose: verbose,
           auth: auth,
           realm: realm,
+          tls_cert_file: tls_cert_file,
+          tls_key_file: tls_key_file,
         )
       @server.start
     end
@@ -67,7 +69,7 @@ def stop
       @server.stop
     end
 
-    attr_accessor :unicorn_listen_address, :unicorn_pid_file
+    attr_accessor :unicorn_listen_address, :unicorn_pid_file, :tls_cert_file, :tls_key_file
     attr_writer :prefix,
                 :port,
                 :bind,

lib/prometheus_exporter/server/web_server.rb

@@ -62,13 +62,20 @@ def initialize(opts)
 
       @collector = opts[:collector] || Collector.new(logger: @logger)
 
-      @server =
-        WEBrick::HTTPServer.new(
-          Port: @port,
-          BindAddress: @bind,
-          Logger: @logger,
-          AccessLog: @access_log,
+      webrick_options = { Port: @port, BindAddress: @bind, Logger: @logger, AccessLog: @access_log }
+
+      if opts[:tls_cert_file] && opts[:tls_key_file]
+        require "webrick/https"
+        require "openssl"
+
+        webrick_options[:SSLEnable] = true
+        webrick_options[:SSLCertificate] = OpenSSL::X509::Certificate.new(
+          File.read(opts[:tls_cert_file]),
         )
+        webrick_options[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.read(opts[:tls_key_file]))
+      end
+
+      @server = WEBrick::HTTPServer.new(webrick_options)
 
       @server.mount_proc "/" do |req, res|
         res["Content-Type"] = "text/plain; charset=utf-8"