Sebastian Krüger
3c7aad09ad
Added HTTP Basic Authentication to secure the Netdata monitoring dashboard: - Added basicauth middleware using shared AUTH_USERS credentials - Protects sensitive infrastructure metrics from unauthorized access - Uses same credentials as Scrapy and other protected services - Maintains SSL/TLS encryption via Traefik Security improvements: - Dashboard now requires username/password - Prevents public access to server metrics - Infrastructure monitoring data protected - Follows security best practices from Netdata documentation Access requires credentials stored in AUTH_USERS environment variable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
62 lines
2.7 KiB
YAML
62 lines
2.7 KiB
YAML
services:
|
|
netdata:
|
|
image: ${NETDATA_IMAGE:-netdata/netdata:latest}
|
|
container_name: ${NETDATA_COMPOSE_PROJECT_NAME}_app
|
|
restart: unless-stopped
|
|
hostname: ${NETDATA_HOSTNAME:-netdata.pivoine.art}
|
|
cap_add:
|
|
- SYS_PTRACE
|
|
- SYS_ADMIN
|
|
security_opt:
|
|
- apparmor:unconfined
|
|
volumes:
|
|
- netdata_config:/etc/netdata
|
|
- netdata_lib:/var/lib/netdata
|
|
- netdata_cache:/var/cache/netdata
|
|
- /etc/passwd:/host/etc/passwd:ro
|
|
- /etc/group:/host/etc/group:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /proc:/host/proc:ro
|
|
- /sys:/host/sys:ro
|
|
- /etc/os-release:/host/etc/os-release:ro
|
|
- /var/log:/host/var/log:ro
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
- NETDATA_CLAIM_TOKEN=${NETDATA_CLAIM_TOKEN:-}
|
|
- NETDATA_CLAIM_URL=${NETDATA_CLAIM_URL:-}
|
|
- NETDATA_CLAIM_ROOMS=${NETDATA_CLAIM_ROOMS:-}
|
|
networks:
|
|
- compose_network
|
|
labels:
|
|
- 'traefik.enable=${NETDATA_TRAEFIK_ENABLED}'
|
|
# HTTP to HTTPS redirect
|
|
- 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
|
|
# HTTPS router
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
|
|
- 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-compress.compress=true'
|
|
- 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
|
|
- 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-auth,${NETDATA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
|
|
# Service
|
|
- 'traefik.http.services.${NETDATA_COMPOSE_PROJECT_NAME}.loadbalancer.server.port=19999'
|
|
- 'traefik.docker.network=${NETWORK_NAME}'
|
|
# Watchtower
|
|
- 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
|
|
|
|
volumes:
|
|
netdata_config:
|
|
name: ${NETDATA_COMPOSE_PROJECT_NAME}_config
|
|
netdata_lib:
|
|
name: ${NETDATA_COMPOSE_PROJECT_NAME}_lib
|
|
netdata_cache:
|
|
name: ${NETDATA_COMPOSE_PROJECT_NAME}_cache
|
|
|
|
networks:
|
|
compose_network:
|
|
name: ${NETWORK_NAME}
|
|
external: true
|