add tls_config to node_exporter

Author: aagbsn

ansible/deploy-testlists.yml

@@ -12,7 +12,6 @@
         use_nginx: false
         node_exporter_port: 9100
         node_exporter_host: "0.0.0.0"
-        node_exporter_options: "--web.auth.file={{ node_exporter_htpasswd }}"
     - role: geerlingguy.docker
       docker_users:
         - testlists

ansible/roles/prometheus_node_exporter/defaults/main.yml

@@ -13,8 +13,47 @@ node_exporter_bin_path: /usr/local/bin/node_exporter
 node_exporter_host: 'localhost'
 node_exporter_port: 8100
 node_exporter_htpasswd: '/etc/ooni/prometheus_passwd'
+node_exporter_web_config: '/etc/ooni/node_exporter_web_config.yml'
 node_exporter_options: ''
 
 node_exporter_state: started
 node_exporter_enabled: true
 node_exporter_restart: on-failure
+
+tls_cert_file: "/var/lib/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem"
+tls_key_file: "/var/lib/dehydrated/certs/{{ inventory_hostname }}/privkey.pem"
+
+tls_client_auth_type: "RequireAndVerifyClientCert"  # Enforce client authentication.
+
+tls_client_ca_file: "/etc/ssl/certs/scraper_ca.cert"  # Path to the CA certificate file for clients.
+
+tls_client_allowed_sans:
+  - "DNS:monitoringproxy.dev.ooni.io"  # Allow this SAN to match.
+  - "DNS:monitoringproxy.prod.ooni.io"  # Allow this SAN to match.
+
+tls_min_version: "TLS12"  # Minimum TLS version allowed.
+tls_max_version: "TLS13"  # Maximum TLS version allowed.
+
+tls_cipher_suites:
+  - "TLS_AES_128_GCM_SHA256"
+  - "TLS_AES_256_GCM_SHA384"
+  - "TLS_CHACHA20_POLY1305"  # Modern, secure cipher suites.
+
+tls_prefer_server_cipher_suites: true  # Prefer server cipher suites.
+
+tls_curve_preferences:
+  - "X25519"  # Preferred curves for ECDHE.
+
+http2_enabled: true  # Enable HTTP/2 support.
+
+# Default HTTP headers
+http_csp: "default-src 'self';"  # Content-Security-Policy.
+http_x_frame_options: "DENY"  # X-Frame-Options.
+http_x_content_type_options: "nosniff"  # X-Content-Type-Options.
+http_x_xss_protection: "1; mode=block"  # X-XSS-Protection.
+http_strict_transport_security: "max-age=63072000; includeSubDomains; preload"  # HSTS settings.
+
+basic_auth_users: {}  # No basic authentication by default.
+
+rate_limit_interval: "10s"  # Time interval between requests.
+rate_limit_burst: 20  # Allow a burst of 20 requests.

ansible/roles/prometheus_node_exporter/tasks/install.yml

@@ -51,6 +51,21 @@
     - monitoring
     - node_exporter
     - config
+  when: use_nginx
+
+- name: Copy ooni CA cert for client authentication
+  copy:
+    src: scraper_ca.cert
+    dest: /etc/ssl/certs/scraper_ca.cert
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Copy node_exporter web_config
+  template:
+    src: node_exporter_web_config.j2
+    dest: /etc/ooni/node_exporter_web_config.yml
+    mode: 0644
 
 - name: Copy the node_exporter systemd unit file.
   template:

ansible/roles/prometheus_node_exporter/templates/node_exporter.service.j2

@@ -4,7 +4,7 @@ Description=NodeExporter
 [Service]
 TimeoutStartSec=0
 User=node_exporter
-ExecStart={{ node_exporter_bin_path }} --web.listen-address={{ node_exporter_host }}:{{ node_exporter_port }} {{ node_exporter_options }}
+ExecStart={{ node_exporter_bin_path }} --web.listen-address={{ node_exporter_host }}:{{ node_exporter_port }} --web.config.file={{node_exporter_web_config }} {{ node_exporter_options }}
 Restart={{ node_exporter_restart }}
 
 [Install]

ansible/roles/prometheus_node_exporter/templates/node_exporter_web_config.j2

@@ -0,0 +1,32 @@
+tls_server_config:
+  cert_file: "{{ tls_cert_file }}"   # Certificate file for server authentication.
+  key_file: "{{ tls_key_file }}"     # Key file for server authentication.
+  client_auth_type: "{{ tls_client_auth_type | default('NoClientCert') }}"  # Server policy for client authentication.
+  client_ca_file: "{{ tls_client_ca_file }}"  # CA certificate file for client authentication.
+  client_allowed_sans: 
+    - {{ tls_client_allowed_sans | map('tojson') | join(', ') }}  # SAN matches for client certificate.
+  min_version: "{{ tls_min_version | default('TLS12') }}"  # Minimum acceptable TLS version.
+  max_version: "{{ tls_max_version | default('TLS13') }}"  # Maximum acceptable TLS version.
+  cipher_suites: 
+    - {{ tls_cipher_suites | map('tojson') | join(', ') }}  # Supported cipher suites.
+  prefer_server_cipher_suites: {{ tls_prefer_server_cipher_suites | default(true) }}  # Server cipher suite preference.
+  curve_preferences:
+    - {{ tls_curve_preferences | map('tojson') | join(', ') }}  # Elliptic curves for ECDHE handshake.
+
+http_server_config:
+  http2: {{ http2_enabled | default(true) }}  # Enable HTTP/2 support.
+  headers:
+    Content-Security-Policy: "{{ http_csp }}"  # Content-Security-Policy for HTTP responses.
+    X-Frame-Options: "{{ http_x_frame_options }}"  # X-Frame-Options for HTTP responses.
+    X-Content-Type-Options: "{{ http_x_content_type_options }}"  # X-Content-Type-Options for responses.
+    X-XSS-Protection: "{{ http_x_xss_protection }}"  # X-XSS-Protection for responses.
+    Strict-Transport-Security: "{{ http_strict_transport_security }}"  # Strict-Transport-Security for responses.
+
+basic_auth_users:
+  {% for user, pass in basic_auth_users.items() %}
+  {{ user }}: "{{ pass }}"
+  {% endfor %}
+
+rate_limit:
+  interval: "{{ rate_limit_interval }}"  # Time interval between requests.
+  burst: "{{ rate_limit_burst }}"  # Permits a burst of requests.