Join Log in
Score:0
Nigrimmist avatar Server

Nginx reverse proxy when port is already in use?

us flag
Nigrimmist

i am trying to close port with basic authentication (for pushgateway of prometheus), so not a big specialist in nginx, so could someone please give me and advice where i am is wrong?

I have 9091 port, that should be closed from outside in front of auth. This port is under use by pushgateway

My current nginx config :

events { }
http {
upstream prometheus {
      server 127.0.0.1:9090;
      keepalive 64;
}

upstream pushgateway {
      server 127.0.0.1:9091;
      keepalive 64;
}

server {
      root /var/www/example;
      listen 0.0.0.0:80;
      server_name __;      
      location / {
            auth_basic "Prometheus server authentication2";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://prometheus;
      }  
}


server {
      root /var/www/example;
      listen 0.0.0.0:3001;          
      server_name __;      
      location / {
            auth_basic "Pushgateway server authentication";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://pushgateway;
      } 
}
}

So basic authentication works fine for :3001, but 9091 still open. I tried to change it next way :

   server {
      root /var/www/example;
      listen 0.0.0.0:3001;
      listen 0.0.0.0:9091;
      server_name __;      
      location / {
            auth_basic "Pushgateway server authentication";
            auth_basic_user_file /etc/nginx/.htpasswd;
            proxy_pass http://pushgateway;
      } 
}

And works fine, but ... pushgateway can't start as trying to listen :9091 and throwing "bind:address is already in use". How can i avoid it and hide pushgateway in front of nginx?

Pushgatewa's config :

ExecStart=/usr/local/bin/pushgateway --web.listen-address=":9091" --web.telemetry-path="/metrics"  --persistence.file="/tmp/metric.store"  --persistence.interval=5m --log.level="info" --log.format="logger:stdout?json=true"
70
0 + 0
Score:1
avatar Server
us flag
Tero Kilkanen

Your current nginx configuration is good for this purpose.

You need to change your Pushgateway configuration so that it listens to 127.0.0.1 instead of 0.0.0.0.

If you cannot find that, then you need to add a firewall rule that blocks traffic to the port from WAN side.

0 + 0
Nigrimmist avatar
us flag
Nigrimmist
Thanks for suggestion. It was i tried first. ExecStart=/usr/local/bin/pushgateway --web.listen-address="127.0.0.1:9091" --web.telemetry-path="/metrics" --persistence.file="/tmp/metric.store" --persistence.interval=5m --log.level="info" --log.format="logger:stdout?json=true", issue the same
0
Reply
us flag
Tero Kilkanen
What does `ss -lnpt | grep gateway` show?
0
Reply
Nigrimmist avatar
us flag
Nigrimmist
It is with commented nginx line with listen 9091 : https://i.imgur.com/nA71xlt.png, with listening - it showing nothing as pushgateway can't start : https://i.imgur.com/2AMCyFs.png
0
Reply
us flag
Tero Kilkanen
You must not have the second configuration snippet in your question. nginx must not listen to that port.
0
Reply
Nigrimmist avatar
us flag
Nigrimmist
Ok, but what i need to do to make this port not accessible from public access?
0
Reply
us flag
Tero Kilkanen
I have already told what to do. You use only the first part configuration in your question, and then configure Pushgateway to listen to only `127.0.0.1:9091`. This way, only Pushgateway is listening to port 9091, and since it is bound to localhost, it is not available externally.
1
Reply
Nigrimmist avatar
us flag
Nigrimmist
Yeap... you are totaly right. Looks like when i tested 127.0.0.1:9091 - i did not restarted service correctly. rebooting whole node fixed it. Thank you a lot, man.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.