apt update
apt install prometheus-node-exporter tor
systemctl stop tor #stop the tor service
mkdir -p /var/lib/tor/onion/prometheus/authorized_clients #create the client auth keys folder to store our second layer of authentication
chmod 400 -R /var/lib/tor/prometheus #set restrictive file permissions
vi /etc/tor/torrc #edit the torrc file to add content
cat /etc/tor/torrc
AutomapHostsSuffixes .onion,.exit
DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/prometheus
HiddenServicePort 9100 127.0.0.1:9100
tor-client-auth-gen
private_key=descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ #paste this key to your local machine as your prometheus node will need it
echo "descriptor:x25519:6HDNHLLKIFNU5Q6T75B6Q3GBYDO5ZF4SQUX7EYDEKWNLPQUWUBTA" > /var/lib/tor/onion/prometheus/0.auth
chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
systemctl start tor #restart tor
systemctl status tor #check that everything works
cat /var/lib/tor/onion/prometheus/hostname
[clientaddr].onion
What's that tor-client-auth-gen you ask? In order to protect this critical service from attacks that could be done against the grafana servers or from stolen credentials we need more than just security by obscurity
(relying on the attacker not knowing our hidden service address).
sudo systemctl stop tor #stop the tor service
mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication
mkdir -p /var/lib/tor/onion/grafana #create the client auth keys folder to store our second layer of authentication
chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions
#line below will allow your aggregator to connect to your monitored server. Without it no requests can even reach it
echo "[prometheusclientaddr].onion:descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ" > /var/lib/tor/auth_keys/prometheus_server.auth_private
chmod 400 -R /var/lib/tor/onion #set restrictive file permissions
vi /etc/tor/torrc #edit the torrc file to add content
cat /etc/tor/torrc
AutomapHostsSuffixes .onion,.exit
DataDirectory /var/lib/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
HiddenServiceDir /var/lib/tor/onion/grafana
HiddenServicePort 80 127.0.0.1:3000
ClientOnionAuthDir /var/lib/tor/auth_keys
tor-client-auth-gen
private_key=descriptor:x25519:YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ
public_key=descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ
echo "YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ" > ~/mygrafana_auth_key
echo "descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ" > /var/lib/tor/onion/grafana/0.auth
chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder
systemctl start tor #restart tor
systemctl status tor #check that everything works
And that's all you'll need! one hidden service for grafana.
vi /etc/prometheus/prometheus.yml
cat /etc/prometheus/prometheus.yml
alerting:
alertmanagers: []
global:
scrape_interval: 10s
remote_read: []
remote_write: []
scrape_configs:
- job_name: remote-nodes
proxy_url: socks5h://localhost:9050
static_configs:
- labels: {}
targets:
- [clientaddr].onion:9100
- job_name: local-node
static_configs:
- labels: {}
targets:
- localhost:9100
docker run -d -p 127.0.0.1:3000:3000 --name=grafana grafana/grafana