How to close /metrics path for internet?

1. Caddy version (caddy version):

2.3.0

2. How I run Caddy:

in docker swarm

a. System environment:

docker

b. Command:

c. Service/unit/compose file:

services:
  caddy:
    deploy:
      resources:
        limits:
          cpus: "1"
          memory: "1G"        
    image: caddy:2.3.0-alpine
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./front/caddy/data:/data
      - ./front/caddy/Caddyfile:/etc/caddy/Caddyfile 
      - ./front/caddy/config.d:/etc/caddy/config.d   

d. My complete Caddyfile or JSON config:

domain.com {
        log {
                level WARN
        }

        reverse_proxy * api:3000
}

3. The problem I’m having:

I have simple reverse proxy configuration for api and also there is api:3000/metrics path to expose prometheus metrics. So I want to open this path only for docker overlay network (10.0.1.0/24
).

4. What I already tried:

After some googling I’ve tried to describe some @internal section but /metics path still aviable from internet.

domain.com {
        log {
                level WARN
        }

        @internal {
                remote_ip 10.0.1.0/24
                path /metrics/*
        }

        reverse_proxy @internal api:3000

        reverse_proxy * api:3000
}

You’ll probably want to respond with an error if it’s not from that IP. So do something like this, with a not matcher:

domain.com {
	@internal {
		path /metrics/*
		not remote_ip 10.0.1.0/24
	}
	respond @internal "Access Denied" 403

	reverse_proxy api:3000
}
1 Like

Thanks for your answer. Just a small point - internal path should be without mask:

@internal {
   path /metrics
   not remote_ip 10.0.1.0/24
}
1 Like

Okay - that would still let through paths like /metrics/foo, in case that matters.

This topic was automatically closed after 30 days. New replies are no longer allowed.