Skip to content

HTTP over SSH transport for Prometheus

License

Notifications You must be signed in to change notification settings

digineo/http-over-ssh

Repository files navigation

HTTP over SSH

Test Codecov Go Report Card

This dynamic HTTP proxy tunnels your HTTP requests through SSH connections using public key authentication. The intention to develop this program is the requirement of polling Prometheus exporters through SSH.

Syntax

A proxy request looks like this:

GET http://<jumphost>/<destination-host>/<destination-path> HTTP/1.1

You can override the SSH username by using HTTP Basic Auth.

Usage

After installation (see below), start the proxy on localhost:8000:

$ http-over-ssh -listen 127.0.0.1:8000

For a full list of options run http-over-ssh -help.

Prometheus Scraper

Assuming this proxy runs on the same machine as Prometheus on localhost:8080 and you want to scrape to remote hosts running prometheus exporters on localhost:9100, simply add to your scrape configs:

  - job_name: 'node-exporter'
    proxy_url: http://localhost:8080/
    metrics_path: /localhost:9100/metrics
    relabel_configs:
      - source_labels: ['__address__', '__metrics_path__']
        regex:        '(.+):\d+;/localhost:(\d+)/.*'
        replacement:  '$1:$2'
        target_label: 'instance'
    static_configs:
      - targets:
        - www.example.com:22
        - mail.example.com:22

Authorized Keys (OpenSSH)

To restrict an SSH key to only forward connections to localhost:9100, append to the ~/.ssh/authorized_keys:

restrict,port-forwarding,permitopen="localhost:9100" ssh-ed25519 <the-key> prometheus@example.com

Metrics

Prometheus metrics can be retrieved via /metrics.

Installation

If you have the Go toolchain installed, a simple

$ go get github.com/digineo/http-over-ssh

will place a http-over-ssh binary in $GOPATH/bin/.

Alternatively, you may download a pre-built binary from the Github release page and extract the binary into your $PATH.

Next steps

  • clean up idle ssh connections
  • support for unix sockets

License

MIT Licence. Copyright 2018, Digineo GmbH