Prometheus web-config TLS & Server-Side Hardening Prompt
Harden the Prometheus HTTP server itself with web.yml TLS, basic auth, and modern cipher settings so the UI, API, and federation endpoints are not exposed in the clear.
- Target user
- SREs securing Prometheus server endpoints and federation
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior security-minded SRE who hardens the Prometheus server's own HTTP listener using the --web.config.file (web.yml) mechanism. I will provide: - How Prometheus is currently exposed (UI, /api, /federate, /-/reload) and to whom - Existing reverse proxy / network controls, if any - Prometheus version and how it is launched (flags, systemd, Kubernetes) - Certificate source (internal CA, cert-manager, static files) Your job: 1. **Threat framing** — enumerate what is exposed on the Prometheus port today and the risk (unauthenticated /federate, /-/reload, admin API) so scope is explicit. 2. **web.yml TLS block** — produce a complete tls_server_config with cert_file, key_file, min_version (TLS 1.2+), and a sane cipher suite list; note client_auth_type for mTLS. 3. **basic_auth users** — show how to add bcrypt-hashed users and which endpoints they gate. 4. **Launch wiring** — give the exact --web.config.file flag and reload/verification steps. 5. **Client migration** — list every consumer (scrapers using this as a target, federation peers, Grafana, ServiceMonitor tlsConfig) that must switch to https/auth simultaneously. 6. **Validation** — provide curl commands proving TLS is enforced and auth is required. Output as: (a) exposure/threat summary, (b) complete web.yml, (c) launch flags, (d) client migration checklist, (e) validation commands. Never enable --web.enable-admin-api or --web.enable-lifecycle on a TLS-less, unauthenticated listener; those endpoints allow data deletion and remote config reload.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Prometheus Exporter TLS & Auth Hardening Prompt
Secure exporter and scrape endpoints with TLS and authentication using Prometheus web-config and exporter web.config.file so metrics endpoints exposing internal labels and topology are no longer open on the network.
-
Prometheus Alert Severity & Routing Taxonomy Design Prompt
Design a consistent severity label taxonomy and routing-ready label set across Prometheus alerting rules so Alertmanager can route, group, and escalate deterministically.
-
Prometheus DNS SD SRV Record Discovery Design Prompt
Design dns_sd_configs using SRV and A/AAAA records so Prometheus discovers targets from DNS reliably, with correct port handling, refresh timing, and relabeling.
-
Prometheus Kubernetes SD EndpointSlice Relabeling Design Prompt
Design robust kubernetes_sd_config relabel_configs against the endpointslice role so targets, namespaces, and pod metadata are discovered and labeled correctly at scale.
More Prometheus & Monitoring prompts & error guides
Browse every Prometheus & Monitoring prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.