[tor-bugs] #30023 [Internal Services/Tor Sysadmin Team]: improve grafana authentication
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 18 21:30:35 UTC 2019
#30023: improve grafana authentication
-------------------------------------------------+---------------------
Reporter: anarcat | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+---------------------
Comment (by cohosh):
I don't know enough about LDAP to comment on that solution, but it seems
plausible. My understanding is that we will eventually have alerts? That
might make LDAP going offline less of an issue IIUC.
>
> The way this would work is we would give you an onion name and an auth
cookie. You put those in [https://www.torproject.org/docs/tor-
manual#HidServAuth HidServAuth] in torrc as
> {{{
> HidServAuth xxxxxxxxxxxxxxxx.onion authcookieauthcookie
> }}}
> Then, instead of configuring prometheus to fetch from
!http://snowflake.bamsoftware.com:9100/, you configure it to fetch from
!http://xxxxxxxxxxxxxxxx.onion:9100/ with a `proxy_url` of
!socks5://127.0.0.1:9050/.
>
> On the server side, we would add [https://www.torproject.org/docs/tor-
manual#HiddenServiceAuthorizeClient HiddenServiceAuthorizeClient] to
torrc:
> {{{
> HiddenServiceDir /var/lib/tor/prometheus_node_exporter
> HiddenServicePort 9100 127.0.0.1:9100
> HiddenServiceAuthorizeClient basic prometheus
> }}}
> and then get the auth cookie from
/var/lib/tor/prometheus_node_exporter/hostname.
To pull from the conversation in #29863, how difficult would it be to go
the Onion Service route?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30023#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list