continuwuation/continuwuity
9
17
Fork 10
Code Issues 78 Pull requests 9 Projects Releases 16 Packages 1 Activity Actions

Prometheus metrics exporting #811

New issue
Open
opened 2025-04-30 17:49:01 +00:00 by Jade · 6 comments
Jade commented 2025-04-30 17:49:01 +00:00
Owner
Copy link

note we can't leave /metrics on by default as many people expose all routes on their continuwuity deployment

note we can't leave /metrics on by default as many people expose all routes on their continuwuity deployment
❤️ 1
tcpipuk commented 2025-04-30 17:51:04 +00:00
Owner
Copy link

I guess there's potentially an option to open a second listener for metrics, so it can run in a separate thread on a different port? That would add complexity, but would replicate one of the (unintentionally?) useful features of the multiple listeners in Synapse.

I guess there's potentially an option to open a second listener for metrics, so it can run in a separate thread on a different port? That would add complexity, but would replicate one of the (unintentionally?) useful features of the multiple listeners in Synapse.
Jade commented 2025-04-30 17:53:31 +00:00
Author
Owner
Copy link

Yeah, this and HTML web interface ones are the ones I'd like people to be able to put on separate interfaces, although at that point, it makes sense to separate federation endpoints, too. The challenge is giving that flexibility without introducing a bunch of complexity in configuration.

Yeah, this and HTML web interface ones are the ones I'd like people to be able to put on separate interfaces, although at that point, it makes sense to separate federation endpoints, too. The challenge is giving that flexibility without introducing a bunch of complexity in configuration.
tcpipuk commented 2025-04-30 17:59:00 +00:00
Owner
Copy link

I think separating client and federation mainly risks complicating reverse proxy setup, which at the moment is one of our strengths - people coming from Synapse are often amazed at the simplicity of just forwarding everything to one port.

That said, it wouldn't be terribly difficult to provide example config for all the major reverse proxies to show how to handle the metrics endpoint securely, so maybe it would be easier overall to just keep everything on one port? 🤔

I think separating client and federation mainly risks complicating reverse proxy setup, which at the moment is one of our strengths - people coming from Synapse are often amazed at the simplicity of just forwarding everything to one port. That said, it wouldn't be terribly difficult to provide example config for all the major reverse proxies to show how to handle the metrics endpoint securely, so maybe it would be easier overall to just keep everything on one port? 🤔
Jade commented 2025-04-30 18:02:32 +00:00
Author
Owner
Copy link

Yeah the simplest default situation is to have everything on one port under matrix.sub and have sub/.well_know/matrix forwarded to matrix.sub, and then have the reverse proxy block /metrics. The challenge is when people want to start putting the HTML auth pages under a different domain. I guess that probably counts as an extra feature that's not needed for the initial implementation though.

Yeah the simplest default situation is to have everything on one port under matrix.sub and have sub/.well_know/matrix forwarded to matrix.sub, and then have the reverse proxy block /metrics. The challenge is when people want to start putting the HTML auth pages under a different domain. I guess that probably counts as an extra feature that's not needed for the initial implementation though.
nex added the
Enhancement
 label 2025-05-01 13:34:11 +00:00
magmaus3 commented 2025-05-04 11:25:26 +00:00
Copy link

what about making the metrics endpoint restrict requests to local connections only?

what about making the metrics endpoint restrict requests to local connections only?
Jade commented 2025-05-04 19:24:32 +00:00
Author
Owner
Copy link

what about making the metrics endpoint restrict requests to local connections only?

I guess that would be possible, but it opens the doors to issues with misconfiguration or spoofing if we allow reading the IP from a header for reverse proxies.

We could also allow configuring basic authentication, as most Prometheus implementations support that

> what about making the metrics endpoint restrict requests to local connections only? I guess that would be possible, but it opens the doors to issues with misconfiguration or spoofing if we allow reading the IP from a header for reverse proxies. We could also allow configuring basic authentication, as most Prometheus implementations support that
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
jade/relations
illegal-car-mods
jade/sec-policy-fixes
jade/msc2815
jade/syncv5-typing
jade/security-policy
nex/fix-eager-empty-sync
nex/fix-join-sync-state
jade/purge-sync-tokens
jade/logging-features
jade/ci-fix-tom
morguldir/see-eye
jade/auto-support-creation
jade/rust-toolchain-no-targets
jade/fix-knock-restricted
jade/tuwunel-2025-05
jade/css-small-screen
jade/ci-checks
jade/more-renames
nex/wip-751
jade/typos
jade/html-default-page
dahsa_uwu/axum-0.8
tcpipuk/cinny
jade/messages-more-strict-validation
jade/read-receipts
jade/announcements-checker
jade/tuwunel-ci
tuwunel-rebase
jade/enable-buildx-cache
jade/docker-ci
test
renovate/nixos-nix-2.x
renovate/smallvec-1.x-lockfile
renovate/lock-file-maintenance
renovate/axum-client-ip-1.x
renovate/rand-0.x
renovate/ctor-0.x
renovate/cargo_toml-0.x
renovate/axum-client-ip-0.x
renovate/opentelemetry-rust-monorepo
renovate/axum-monorepo
renovate/itertools-0.x
strawberry/nix-ci-stuff
strawberry/valgrind
strawberry/morgs-snake-sync-jason-main
newer-media-endpoints
folly-coroutines-async-io
federation-retry-timer-port
bad-attempt-at-extracting-homeserver-signing-key
room-deletion-attempt-do-not-use
v0.5.0-rc.5
v0.5.0-rc4
v0.5.0-rc3
v0.5.0-rc2
v0.5.0-rc
v0.4.7-rc
v0.4.6
v0.4.6-rc
v0.4.5-rc
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
Labels
Clear labels   
Bug

Something isn't working as intended

  
Cherry-picking

Commits picked from other conduit projects

  
Database

This requires or includes changes to the database

  
Dependencies

Something dependency related

  
Documentation

Improvements or additions to documentation

  
Enhancement

New feature or request

  
Good first issue

Good for newcomers

  
Help wanted

Additional eyes and keyboards are required for this one

  
Inherited

Issues that have been inhereted from the project pre-fork

  
Matrix/Administration

Features pertaining to homeserver administration

  
Matrix/Appservices

Features pertaining to the appservice API

  
Matrix/Auth

Features pertaining to authentication

  
Matrix/Client

Features pertaining to client-to-server interactions

  
Matrix/Core

   
Matrix/Federation

Features pertaining to server-to-server interactions

  
Matrix/MSC

Features pertaining to unstable matrix features

  
Matrix/Media

Features pertaining to media interactions

  
Meta

Related to housekeeping, maintenance, or other repo-meta.

  
Meta/Packaging

Packaging

  
Priority
Blocking
This issue is blocking the next release

  
Priority
High
This issue is very important

  
Priority
Low
This issue is of a rather low priority

  
Security

This item is related to general security

  
Status
Confirmed

  
Status
Duplicate
This issue or pull request already exists

  
Status
Invalid
This issue doesn't seem right

  
Status
Needs Investigation
This issue needs further investigation

  
Wont fix

This will not be worked on

  
old/ci/cd

Ci/CD

Archived

  
old/rust

Pull requests that update Rust code

Archived

No labels
Bug
Cherry-picking
Database
Dependencies
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/MSC
Matrix/Media
Meta
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: continuwuation/continuwuity#811
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?