influxdb - URLS' URI is ignored when sending HTTP request

[caio2k]

Bug report

Relevant telegraf.conf:

[[outputs.influxdb]]
urls = ["https://localhost/influxdb"]

System info:

Telegraf v1.2.1 (git: release-1.2 3b6ffb3)
Centos 7

Steps to reproduce:

1. Configure urls as shown in the telegraf.conf

Expected behavior:

Telegraf would send http query requests to https://localhost/influxdb/query and http write requests to https://localhost/influxdb/write

Actual behavior:

Telegraf sends http query requests to https://localhost/query. Write requests should follow the same rule.

Additional info:

This issue can potentially be a Feature Request as the documentation does not mention URI handling.

[danielnelson]

We had an issue about this recently: #2568. Can you tell me a little about why you need this, are you using a reverse proxy in front of influxdb as well?

[caio2k]

Thanks for the reply. Yes, it is almost the same scenario (reverse proxy between telegraf and influxdb). Enforcing security access implies in using a reverse proxy in some environments. Several workarounds exist, but they all have drawbacks:

• Opening different ports increases the attack surface
• Using virtualhosts implies DNS configuration and can imply buying more SSL certificates

I don't understand why appending URI cannot be supported as you mentioned in #2568.

[danielnelson]

Is there a reason you cannot serve with the normal paths? If it is on the same box as influxdb you could bind influxdb only to the loopback interface and have your reverse proxy on the external interface.

[caio2k]

I'm trying to deploy telegraf within a 2 different SL (security levels) datacenter with several servers. As influxdb will be in SL2, data from machines in SL1 should pass through a reverse proxy and respect many firewall rules. This reverse proxy should be an isolated server.
In my PoC I have a special apache rule to route traffic from /query and /write to /influxdb/query and /influxdb/write. However I'm not supposed to create rules into /. Furthermore telegraf is the only service which needs this special rule, all other understand this architecture.
Again, I don't understand why this bug/feature cannot be implemented in teelgraf.

[danielnelson]

Sorry about all the questions, but the first step of adding a new feature is to justify the code change and increase in complexity.

The reason you are not supposed to use /write is due to namespacing on a proxy shared by several services?

[Zert]

Vote for this. Have the same issue with telegraf.
Do you really think that getting rid of Path overwriting increases a complexity?
This is the line which worth to be fixed: https://github.com/influxdata/telegraf/blob/master/plugins/outputs/influxdb/client/http.go#L267

[caio2k]

Sorry if it sounded a little harsh. I understand that "just adding one feature" is not as simple as it sounds.
Answering your question, I'm not supposed to use / namespace on the proxy as all services should be provided in a subdir.

[marcv81]

I'm having the same issue. I might fix it if I find time. @danielnelson, does your concern about increased code complexity still hold? I'm not interested in contributing if rejection is guaranteed ;)

The following NGINX hack might help for the times being. It relies on auth-enabled = true on the InfluxDB side.

# Telegraf hack
location / {
    if ($remote_user = telegraf) {
        proxy_pass http://127.0.0.1:8086;
    }
}

location /influxdb/ {
    rewrite ^/influxdb/(.*) /$1 break;
    proxy_pass http://127.0.0.1:8086;
}

[danielnelson]

@marcv81 We can add this, there is the PR referenced above but it has a bug.

[danielnelson]

Will be in 1.5, thanks @dimrozakis