# Cluster exporter server { listen {{ env "NOMAD_ALLOC_PORT_cluster" }} ssl; http2 on; ssl_certificate /secrets/metrics.bundle.pem; ssl_certificate_key /secrets/metrics.bundle.pem; ssl_client_certificate /local/monitoring.ca.pem; ssl_verify_client on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_session_tickets off; gzip on; gzip_types text/plain; gzip_vary on; server_tokens off; if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } set $consul_token "{{ with secret "consul/creds/[[ .instance ]]-cluster-exporter" }}{{ .Data.token }}{{ end }}"; {{- range service "nomad-client" }} location /nomad-client/{{ .Node }} { proxy_pass https://{{ .Address }}:{{ .Port }}/v1/metrics?format=prometheus; proxy_ssl_certificate /secrets/nomad_client_bundle.pem; proxy_ssl_certificate_key /secrets/nomad_client_bundle.pem; proxy_ssl_verify on; proxy_ssl_name client.{{ env "NOMAD_REGION" }}.nomad; proxy_ssl_trusted_certificate /local/nomad_ca.crt; } {{- end }} {{- range service "nomad" }} {{- if .Tags | contains "http" }} location /nomad/{{ .Node }} { proxy_pass https://{{ .Address }}:{{ .Port }}/v1/metrics?format=prometheus; proxy_ssl_certificate /secrets/nomad_client_bundle.pem; proxy_ssl_certificate_key /secrets/nomad_client_bundle.pem; proxy_ssl_verify on; proxy_ssl_name server.{{ env "NOMAD_REGION" }}.nomad; proxy_ssl_trusted_certificate /local/nomad_ca.crt; } {{- end }} {{- end }} {{- range service "consul" }} location /consul/{{ .Node }} { proxy_pass https://{{ .Address }}:8501/v1/agent/metrics?format=prometheus; proxy_set_header X-Consul-Token $consul_token; proxy_ssl_certificate /secrets/consul_client_bundle.pem; proxy_ssl_certificate_key /secrets/consul_client_bundle.pem; proxy_ssl_verify off; proxy_ssl_trusted_certificate /local/consul_ca.crt; } {{- end }} {{- range service "vault" }} location /vault/{{ .Node }} { proxy_pass https://{{ .Address }}:{{ .Port }}/v1/sys/metrics?format=prometheus; proxy_ssl_verify on; proxy_ssl_trusted_certificate /etc/ssl/cert.pem; proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for"; proxy_set_header X-Real-IP "$remote_addr"; proxy_set_header X-Forwarded-Proto "$scheme"; proxy_set_header X-Scheme "$scheme"; proxy_set_header X-Forwarded-Host "$host"; proxy_set_header X-Forwarded-Port "$server_port"; } {{- end }} location / { root /usr/share/nginx/html; index index.html; } } # Ping exporter server { listen {{ env "NOMAD_ALLOC_PORT_ping" }} ssl; http2 on; ssl_certificate /secrets/metrics.bundle.pem; ssl_certificate_key /secrets/metrics.bundle.pem; ssl_client_certificate /local/monitoring.ca.pem; ssl_verify_client on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_session_tickets off; gzip on; gzip_types text/plain; gzip_vary on; server_tokens off; if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } location /metrics { proxy_pass http://127.0.0.1:9427; } } # Blackbox exporter server { listen {{ env "NOMAD_ALLOC_PORT_blackbox" }} ssl; http2 on; ssl_certificate /secrets/metrics.bundle.pem; ssl_certificate_key /secrets/metrics.bundle.pem; ssl_client_certificate /local/monitoring.ca.pem; ssl_verify_client on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_session_tickets off; gzip on; gzip_types text/plain; gzip_vary on; server_tokens off; if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } location / { proxy_pass http://127.0.0.1:9115; } } # Consul exporter server { listen {{ env "NOMAD_ALLOC_PORT_consul" }} ssl; http2 on; ssl_certificate /secrets/metrics.bundle.pem; ssl_certificate_key /secrets/metrics.bundle.pem; ssl_client_certificate /local/monitoring.ca.pem; ssl_verify_client on; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_session_tickets off; gzip on; gzip_types text/plain; gzip_vary on; server_tokens off; if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } location /metrics { proxy_pass http://127.0.0.1:9107; } }