Hi all
I have few OpentWRT routers at different places connected to the internet and I would like to monitor them at a central place. The monitoring solution I prefer right now is Prometheus in combination with the node exporter package (https://openwrt.org/packages/pkgdata/prometheus-node-exporter-lua). But I have not seen an easy way to use encrypted communication or some token based authentication in the standard node exporter if I would expose it to the internet (porpably it is just not designed to do that).
Therefore I like your help to find some way of accessing the router securely with authentication and limited permissions. I am able to think of the following approaches:
- modifying node exporter
- ssh tunnel
- some https web server approach
- vpn
Vpn would be my prefered way but sadly is not an option right now since I am on the wireguard hype train and the machine I like to use for running Prometheus is Ubuntu 18:04 without convenient way of installing kernel modules - "convenient" includes compiling from source (I have herd about a user space implementation.... does someone have experience with that?)
Ssh tunnel is implemented right now and works but is some hassle to set up non privileged user and keys. Overall I prefer something else.
What brings me to the point where I am stuck right now... The node exporter offers a lua script (/usr/bin/prometheus-node-exporter-lua) which prints what Prometheus needs to scrape. So it should not be to hard to teach a second utthpd process to listen on another port, execute that script, print back the output and secure that whole thing (ssl available by default)
But I am stuck with the that (of course testing only) setup:
config uhttpd 'prometheu'
list listen_https '0.0.0.0:65100'
list listen_https '[::]:65100'
option home '/usr/bin/prometheus-node-exporter-lua'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option no_dirlists '1'
option lua_handler '/usr/bin/lua'
list lua_prefix '/metrics=/'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
curl --insecure https://localhost:65100/
prints the source code of that file and so does curl --insecure https://localhost:65100/metrics
even though restarting the uhttpd gives me the following:
service uhttpd restart
Skipping invalid Lua prefix "/metrics=/"
I clearly have not comprehended how uhttpd or the lua integration works... sorry for that!
Either way I would greatly appreciate any hints to forwarding requests to the locally running node exporter server or executing that script by uhttpd as well es a completely different approach I maybe not getting right now. (maybe nginx would be a solution but if possible I'd stay "native OpenWRT" as long as possible)
Kind regards and thanks a lot!