# Arbitrary number of usernames may be put here. # It is possible to set multiple identical usernames with different passwords. # Such usernames can be differentiated by `name` option. users: # Requests with the 'Authorization: Bearer XXXX' and 'Authorization: Token XXXX' # header are proxied to http://localhost:8428 . # For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query # Requests with the Basic Auth username=XXXX are proxied to http://localhost:8428 as well. - bearer_token: "XXXX" url_prefix: "http://localhost:8428" # Requests with the 'Authorization: Bearer YYY' header are proxied to http://localhost:8428 , # The `X-Scope-OrgID: foobar` http header is added to every proxied request. # For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query - bearer_token: "YYY" url_prefix: "http://localhost:8428" headers: - "X-Scope-OrgID: foobar" # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) # are proxied to http://localhost:8428 . # For example, http://vmauth:8427/api/v1/query is proxied to http://localhost:8428/api/v1/query # # The given user can send maximum 10 concurrent requests according to the provided max_concurrent_requests. # Excess concurrent requests are rejected with 429 HTTP status code. # See also -maxConcurrentPerUserRequests and -maxConcurrentRequests command-line flags. - username: "local-single-node" password: "***" url_prefix: "http://localhost:8428" max_concurrent_requests: 10 # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) # are proxied to http://localhost:8428 with extra_label=team=dev query arg. # For example, http://vmauth:8427/api/v1/query is routed to http://localhost:8428/api/v1/query?extra_label=team=dev - username: "local-single-node2" password: "***" url_prefix: "http://localhost:8428?extra_label=team=dev" # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) # are load-balanced among http://vmselect1:8481/select/123/prometheus and http://vmselect2:8481/select/123/prometheus # For example, http://vmauth:8427/api/v1/query is proxied to the following urls in a round-robin manner: # - http://vmselect1:8481/select/123/prometheus/api/v1/select # - http://vmselect2:8481/select/123/prometheus/api/v1/select - username: "cluster-select-account-123" password: "***" url_prefix: - "http://vmselect1:8481/select/123/prometheus" - "http://vmselect2:8481/select/123/prometheus" # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) # are load-balanced between http://vminsert1:8480/insert/42/prometheus and http://vminsert2:8480/insert/42/prometheus # For example, http://vmauth:8427/api/v1/write is proxied to the following urls in a round-robin manner: # - http://vminsert1:8480/insert/42/prometheus/api/v1/write # - http://vminsert2:8480/insert/42/prometheus/api/v1/write - username: "cluster-insert-account-42" password: "***" url_prefix: - "http://vminsert1:8480/insert/42/prometheus" - "http://vminsert2:8480/insert/42/prometheus" # A single user for querying and inserting data: # - Requests to http://vmauth:8427/api/v1/query, http://vmauth:8427/api/v1/query_range # and http://vmauth:8427/api/v1/label//values are proxied to the following urls in a round-robin manner: # - http://vmselect1:8481/select/42/prometheus # - http://vmselect2:8481/select/42/prometheus # For example, http://vmauth:8427/api/v1/query is proxied to http://vmselect1:8480/select/42/prometheus/api/v1/query # or to http://vmselect2:8480/select/42/prometheus/api/v1/query . # - Requests to http://vmauth:8427/api/v1/write are proxied to http://vminsert:8480/insert/42/prometheus/api/v1/write . # The "X-Scope-OrgID: abc" http header is added to these requests. - username: "foobar" url_map: - src_paths: - "/api/v1/query" - "/api/v1/query_range" - "/api/v1/label/[^/]+/values" url_prefix: - "http://vmselect1:8481/select/42/prometheus" - "http://vmselect2:8481/select/42/prometheus" - src_paths: ["/api/v1/write"] url_prefix: "http://vminsert:8480/insert/42/prometheus" headers: - "X-Scope-OrgID: abc" ip_filters: deny_list: [127.0.0.1] # A single user for querying and inserting data: # - Requests to http://vmauth:8427/api/v1/query, http://vmauth:8427/api/v1/query_range # and http://vmauth:8427/api/v1/label//values are proxied to the following urls in a round-robin manner: # - http://vmselect1:8481/select/42/prometheus # - http://vmselect2:8481/select/42/prometheus # For example, http://vmauth:8427/api/v1/query is proxied to http://vmselect1:8480/select/42/prometheus/api/v1/query # or to http://vmselect2:8480/select/42/prometheus/api/v1/query . # - Requests to http://vmauth:8427/api/v1/write are proxied to http://vminsert:8480/insert/42/prometheus/api/v1/write . # The requests which do not match `src_paths` from the `url_map` will be proxied to the urls rom `default_url` # in a round-robin manner (with request path in `request_path` query param). # For example, request to http://vmauth:8427/non/existing/path will be proxied: # - to http://default1:8888/process?request_path=/non/existing/path # - or http://default2:8888/process?request_path=/non/existing/path - username: "foobar" url_map: - src_paths: - "/api/v1/query" - "/api/v1/query_range" - "/api/v1/label/[^/]+/values" url_prefix: - "http://vmselect1:8481/select/42/prometheus" - "http://vmselect2:8481/select/42/prometheus" - src_paths: ["/api/v1/write"] url_prefix: "http://vminsert:8480/insert/42/prometheus" default_url: - "http://default1:8888/process" - "http://default2:8888/process" # Requests without Authorization header are routed according to `unauthorized_user` section. unauthorized_user: url_map: - src_paths: - /api/v1/query - /api/v1/query_range url_prefix: - http://vmselect1:8481/select/0/prometheus - http://vmselect2:8481/select/0/prometheus ip_filters: allow_list: [8.8.8.8] ip_filters: allow_list: ["1.2.3.0/24", "127.0.0.1"] deny_list: - 10.1.0.1