How to Setup TLS and Authentication on Node exporter

In this quick guide, find out how to set up TLS (transport layer security) and authentication on node exporter. For other DevOps-related queries and information, visit our devops services.

Setting up TLS and Authentication on Node Exporter

To set up TLS and authorization for Node Exporter and Grafana, you will need to follow these general steps:

Generate TLS certificates
Configure Node Exporter to use TLS
Configure Node Exporter to require client authentication
Configure Grafana to use TLS
Configure Grafana to require client authentication
Create user accounts in Grafana
Assign roles and permissions to users

Here are more detailed instructions for each step:

1. Generate TLS certificates

You can generate a self-signed certificate or obtain a certificate from a trusted CA.
For creating a self-signed certificate, use OpenSSL. Here's an example command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

This command generates a key pair and a self-signed certificate valid for 365 days.

2. Configure Node Exporter to use TLS

Node Exporter is typically run as a service, so you'll need to modify the service configuration file.
Edit the service file (/etc/systemd/system/node_exporter.service) to add the following flags:

--tls.cert-file=/path/to/cert.pem
--tls.key-file=/path/to/key.pem

Restart the Node Exporter service for the changes to take effect.

3. Configure Node Exporter to require client authentication

Add the following flag to the Node Exporter service file:

--tls.client-auth=verify

This flag tells Node Exporter to require clients to authenticate with a valid certificate.

4. Configure Grafana to use TLS

Edit the Grafana configuration file (/etc/grafana/grafana.ini) and set the following values:

[server]
protocol = https
cert_file = /path/to/cert.pem
cert_key = /path/to/key.pem

Now, you need to Restart the Grafana service for changes to implement.

5. Configure Grafana to require client authentication

Edit the Grafana configuration file and add the following values:

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username

These values tell Grafana to use proxy authentication and look for the X-WEBAUTH-USER header to get the username.

6. Create user accounts in Grafana

Open Grafana in your web browser and log in as the default admin user (admin/admin).
Create user accounts for each user who will access Grafana.

7. Assign roles and permissions to users

In Grafana, go to the "Users" page and click on a user to edit their permissions.
Assign the user to one or more organizations and specify their role (e.g. Viewer, Editor, or Admin).
Grant the user access to one or more dashboards or data sources.

To configure SMTP credentials in the grafana.ini file, you will need to follow these steps:

Open the grafana.ini file in a text editor. The default location of the file is /etc/grafana/grafana.ini.
Locate the [smtp] section in the file. If it does not exist, you can add it to the bottom of the file.
Update the following fields with your SMTP server information:
- enabled: Set this to true to enable SMTP email notifications.
- host: Set this to the hostname or IP address of your SMTP server.
- port: Set this to the port number used by your SMTP server. 25 is the SMPT's default port.
- user: Set this to the username for your SMTP account.
- password: Set this to the password for your SMTP account.
- from_address: Set this to the email address that will be used as the sender for email notifications.
Save the grafana.ini file.
Restart the Grafana server for the changes to take effect.