1. 引言
Node Exporter安装总体来说和Prometheus安装差不多,但是在公网环境,Node Exporter设置HTTP Auth Basic、证书、防火墙,我觉得还是十分有必要的,本文主要侧重这一点如何配置
另外,有一点需要注意,如果你使用Docker安装Node Exporter,并且使用的是Debian系的UFW防火墙,请注意Docker端口不受UFW防火墙限制的问题,具体请阅读《Docker端口不受UFW防火墙限制》
2. HTTP Auth Basic、证书、防火墙等准备
2.1 规划Node Exporter目录
mkdir -p /opt/prometheus/node_exporter/conf
mkdir -p /opt/prometheus/node_exporter/bin2.2 使用htpasswd生成auth_basic的密码文件
# -B指定使用bcrypt加密算法 -C指定bcrypt加密的计算强度 -c指定创建密码文件
htpasswd -B -C 12 -c /opt/prometheus/node_exporter/conf/node_exporter_htpasswd node_exporter2.3 准备自签证书
自签证书申请过程请阅读《OpenSSL 自签证书链申请》
申请自签证书时需注意Subject Alternative Name,我只使用了IP,如果你需要使用域名,也可以在Subject Alternative Name加上你自己的域名
# fullchain.crt是证书链,包含了中间证书,server.crt是服务器证书,server.key是服务器证书私钥
root@halocloudsg:/opt/prometheus/node_exporter/conf/certs# ls
fullchain.crt server.crt server.key
root@halocloudsg:/opt/prometheus/node_exporter/conf/certs# openssl x509 -in fullchain.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2d:b5:cf:24:61:96:03:fd:91:c6:78:f6:94:ab:78:6b:34:46:2e:78
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, ST = Internet, L = World, O = Lesslog-Intermediate, CN = Lesslog-Intermediate-CA
Validity
Not Before: Dec 20 22:21:58 2025 GMT
Not After : Dec 18 22:21:58 2035 GMT
Subject: C = CN, ST = Internet, L = World, O = LessLog, OU = Prometheus, CN = 45.129.228.178
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ad:0d:1f:50:2c:73:88:3c:41:7a:2e:a6:4b:39:
d9:d3:d6:3a:44:a1:50:72:38:70:2a:7f:f3:a4:1f:
a3:74:74:d9:c3:6f:e5:3e:9e:50:db:9a:a2:bc:e5:
36:08:b6:a6:e4:60:f0:c7:c8:e2:19:ac:07:75:8c:
4e:c5:f3:7f:29
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
IP Address:45.129.228.178, IP Address:127.0.0.1
X509v3 Subject Key Identifier:
56:52:FF:92:48:B5:08:13:77:95:70:A0:4B:F5:6E:C5:D9:6D:FB:DD
X509v3 Authority Key Identifier:
70:D0:BA:65:40:A1:D4:8E:86:E5:F0:1C:31:CA:41:F2:F9:68:5F:3E
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:e4:49:51:38:6f:6f:94:ea:06:77:61:be:cd:
c5:b2:77:16:f2:88:bc:e8:bb:af:5a:b3:53:97:0f:96:55:a2:
05:02:21:00:e7:00:58:12:7f:c4:78:10:b5:95:27:de:0d:87:
0b:45:05:e4:d6:a2:65:c5:53:db:ab:30:8e:07:c9:e5:67:ac# ca.crt为根证书,在prometheus.yml中抓取node exporter指标时需用上
root@halocloudsg:/opt/prometheus/ca# ls
ca.crt
root@halocloudsg:/opt/prometheus/ca# openssl x509 -in ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:bd:c2:cf:cd:61:af:56:a4:e6:f4:d5:38:f3:97:07:6e:57:7f:08
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, ST = Internet, L = World, O = Lesslog-CA, CN = Lesslog-Root-CA
Validity
Not Before: Dec 20 21:48:15 2025 GMT
Not After : Dec 13 21:48:15 2055 GMT
Subject: C = CN, ST = Internet, L = World, O = Lesslog-CA, CN = Lesslog-Root-CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:1b:3e:d2:45:5d:fe:1f:78:8c:99:42:d0:4a:41:
dc:dd:07:db:1c:31:0e:c7:84:df:e7:28:73:25:a6:
8a:70:8c:80:94:a8:a4:a0:6b:da:19:37:87:75:eb:
50:03:3c:ba:03:7f:64:8a:08:7b:45:9a:e4:57:1a:
3a:b1:7b:51:4d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
98:34:FD:E1:04:71:6B:81:F1:39:61:F6:17:62:1C:55:2A:A2:4F:BE
X509v3 Authority Key Identifier:
98:34:FD:E1:04:71:6B:81:F1:39:61:F6:17:62:1C:55:2A:A2:4F:BE
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:2d:20:b5:53:c4:e1:0a:85:3c:ee:d2:f2:0a:49:
f5:5a:b0:51:23:9c:93:bf:b6:a7:60:31:cd:92:b5:e3:b8:94:
02:21:00:bd:d0:0f:2c:eb:bb:94:e5:06:23:02:85:3e:cc:e3:
48:81:5e:9f:8d:cc:cb:14:e3:1f:38:1d:26:43:a7:e2:8e2.4 设置防火墙策略
因为Prometheus和Node Exporter不在同一台主机,且不是内网,要想远端Prometheus抓取Node Exporter的指标,Node Exporter必须监听为0.0.0.0,监听0.0.0.0就意味着暴露在公网,所以防火墙策略一定要最小粒度,本人习惯使用Debian发行版,故防火墙使用ufw,当然你可以使用iptables或nftables,其本质都是一样的。
2.4.1 安装防火墙
apt update && apt install ufw2.4.2 端口放行
# ⚠️⚠️一定先放行自己ssh端口,本人习惯使用51247作为ssh端口
ufw allow 51247/tcp
# 45.129.228.178 是远端Prometheus服务的IP,放行该IP允许访问9100的tcp
ufw allow from 45.129.228.178 to any port 9100 proto tcp2.4.3 开启防火墙
# 开启防火墙
ufw enable 2.4.4 查看检查防火墙规则
root@halocloudsg:~# ufw status
Status: active
To Action From
-- ------ ----
51247/tcp ALLOW Anywhere
9100/tcp ALLOW 45.129.228.178
root@halocloudsg:~#2.5创建Prometheus系统账号,如已创建,请忽略
# 创建group组,-g指定gid,可不指定,看个人习惯
groupadd -g 1111 prometheus
# 创建prometheus用户, -g指定所属group组,-u指定uid,-s指定user使用的shell,-d指定user的home目录
useradd -g 1111 -u 1111 -s /usr/sbin/nologin -d /opt/prometheus/prometheus-service prometheus3 安装 Node Exporter
3.1 下载Node Exporter
下载地址:https://github.com/prometheus/node_exporter/releases
cd /opt/prometheus/node_exporter
# 版本和架构自行选择
wget https://github.com/prometheus/node_exporter/releases/download/v1.10.2/node_exporter-1.10.2.linux-amd64.tar.gz
# 解压tar包
tar -zxvf node_exporter-1.10.2.linux-amd64.tar.gz --strip-components=1
# 规划至指定目录
mv ./node_exporter ./bin
# 删除无用文件
rm LICENSE NOTICE node_exporter-1.10.2.linux-amd64.tar.gz3.2 创建node_exporter_web_conf.yml文件
vim /opt/prometheus/node_exporter/conf/node_exporter_web_conf.ymltls_server_config:
cert_file: /opt/prometheus/node_exporter/conf/certs/fullchain.crt # 服务器证书链
key_file: /opt/prometheus/node_exporter/conf/certs/server.key # 服务器证书私钥
min_version: TLS13 # 只使用TLS13
max_version: TLS13
# 开启 http2
http_server_config:
http2: on
# 开启 http auth basic 认证
# node_exporter: $2y$12$IDapf9JbUXthMaOm.S.hT.8w8xopx9xqu.aox5SoxYQo29PaOZKN2 是前面node_exporter_htpasswd文件中的内容,注意不要直接复制,yaml中需要node_exporter: 后面是有个空格的
basic_auth_users:
node_exporter: $2y$12$IDapf9JbUXthMaOm.S.hT.8w8xopx9xqu.aox5SoxYQo29PaOZKN23.3 使用systemd管理,创建service文件
cat > /etc/systemd/system/node_exporter.service <<'EOF'
[Unit]
Description=Prometheus Node Exporter
After=network.target
[Service]
Type=simple
ExecStart=/opt/prometheus/node_exporter/bin/node_exporter \
--collector.zoneinfo \
# 设置 node exporter 指标路径
--web.telemetry-path="/prometheus/node/exporter/metrics" \
--web.config.file="/opt/prometheus/node_exporter/conf/node_exporter_web_conf.yml" \
--web.listen-address=0.0.0.0:9100
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=prometheus
Group=prometheus
[Install]
WantedBy=multi-user.target
EOF3.4 修改node_exporter目录所属用户和组
chown -R prometheus:prometheus /opt/prometheus/node_exporter3.5 启动验证Node Exporter
systemctl daemon-reload
systemctl enable --now node_exporter.service
systemctl status node_exporter.service
# --cacert指定ca文件 -u指定用户和密码
curl --cacert /opt/prometheus/ca/ca.crt -u node_exporter:RiAFcyNcLqMk1rrbKh9T https://45.129.228.178:9100/prometheus/node/exporter/metrics4. 远端Prometheus配置采集Node Exporter指标
修改prometheus.yml配置文件后,热加载配置或重启prometheus服务
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: "prometheus"
metrics_path: '/prometheus/metrics'
static_configs:
- targets: ["localhost:9090"]
labels:
app: "prometheus"
- job_name: "node_exporter"
# 指定采集指标路径
metrics_path: "/prometheus/node/exporter/metrics"
# 使用https协议
scheme: "https"
tls_config:
# 自签证书ca路径,注意:prometheus 用户要有ca.crt的读权限
ca_file: "/opt/prometheus/ca/ca.crt"
# 是否跳过 TLS 证书校验,false 表示严格校验证书,防止中间人攻击
insecure_skip_verify: false
# http auth basic 的用户和密码
basic_auth:
username: "node_exporter"
password: "RiAFcyNcLqMk1rrbKh9T"
static_configs:
- targets:
- 45.129.228.178:9100