Logo-amall

Prometheus exporter listen_addr

Last active 15 days ago

9 replies

3 views

  • Hello !
    I discovered CrowdSec yesterday, and it's work well !
    I have just a small question, i'm trying to make the exporter work, and so far, my config is like this

    prometheus:
  enabled: true
  level: full
  listen_addr: 0.0.0.0
  listen_port: 6060

    Since my network is dual stack, if i add my exporter with this config on my prometheus config

      - job_name: 'crowdsec_blog'
    static_configs:
    - targets: ['blog.X.net:6060']
      labels:
        machine: 'blog'

    I have an error Get "http://blog.X.net:6060/metrics": dial tcp [2a0f:X:40:X:cafe::X]:6060: connect: connection refused on the prometheus site
    But if i force v4 (['185.X.X.X:6060']), it's work well.
    I try to add [::] to the listen_adress in the crowdsec config, the service restart correctly, but the connection is refused with the same error as above.

    It's possible to make the exporter work in v6 ?

    Also, i add 0.0.0.0 for testing purpose, now i want to allow only my range (185.X.X.X/24 and, if v6 work, my prefix). If i configure listen_addr: 185.0.0.0/24, the service also restart without error, but my prometheus report Get "http://185.X.X.X:6060/metrics": dial tcp 185.X.X.X:6060: connect: connection refused

    Can you guide me ?
    Thanks in advance !

  • II

    Hmm interesting about the ipv6, so if you run with 0.0.0.0 it doesnt show up as a used port if you run ss -lntp? It seems we have only logged it as a warning https://github.com/crowdsecurity/crowdsec/blob/6fb962a94180abca0e9d82fc8fe533786f8e3695/cmd/crowdsec/metrics.go#L195 if the prometheus service fails to start so there be no glaring error

  • II
    Also, i add 0.0.0.0 for testing purpose, now i want to allow only my range (185.X.X.X/24 and, if v6 work, my prefix). If i configure listen_addr: 185.0.0.0/24, the service also restart without error, but my prometheus report Get "http://185.X.X.X:6060/metrics": dial tcp 185.X.X.X:6060: connect: connection refused

    So you would need to firewall the port using iptables, nftables. As golang listenandserve takes an ip address to serve on. Its not a configurable option to say allow these IP's

  • II

    However, im going to spin up a test environment, cause looking deeper the listenandserve called the underlying go func with "tcp". Then within the same function it tests if the address is 0.0.0.0 if so only binds to ipv4 not ipv6. So im going to test it if this is the case, we should allow for an empty string as that is in golang terms is bind to all interfaces (ipv4,ipv6)

  • II

    Okay so first tests

    listen_addr: 0.0.0.0 #-> binds only to ipv4
listen_addr: [::] #-> crashes crowdsec yaml invalid
listen_addr: "[::]" #-> binds to *:6060
# Bottom one seems to work on ipv4 and ipv6

    Bottom listen_addr tests

    root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 2e:ae:55:66:59:a6 brd ff:ff:ff:ff:ff:ff
    inet 167.99.82.146/20 brd 167.99.95.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.16.0.7/16 brd 10.16.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a03:b0c0:1:d0::ec0:2001/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::2cae:55ff:fe66:59a6/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 2a:fe:91:b2:5d:fd brd ff:ff:ff:ff:ff:ff
    inet 10.106.0.4/20 brd 10.106.15.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::28fe:91ff:feb2:5dfd/64 scope link 
       valid_lft forever preferred_lft forever
root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# curl http://167.99.82.146:6060/metrics > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 17697    0 17697    0     0   822k      0 --:--:-- --:--:-- --:--:--  822k
root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# curl -g "http://[2a03:b0c0:1:d0::ec0:2001]:6060/metrics" > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 17696    0 17696    0     0   557k      0 --:--:-- --:--:-- --:--:--  576k
root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~#
  • II

    Apologies for sending lots of messages let me know if you need anymore information but TL:DR is set listen_addr: "[::]" to bind both ipv4 and ipv6. If you need to limit who can connect to the port use iptables, nftables to drop if the IP is not whitelisted.

  • Thank you for all the explanation ! I'll try the listen_addr: "[::]" !

  • And thank you for taking the time to test 🙂

  • II

    Great! let me know if you need anything happy to help

Last active 15 days ago

9 replies

3 views

Join conversation on discord