HTTPS and authentication

Alertmanager supports basic authentication and TLS. This is experimental and might change in the future.

Currently TLS is supported for the HTTP traffic and gossip traffic.

HTTP Traffic

To specify which web configuration file to load, use the --web.config.file flag.

The file is written in YAML format, defined by the scheme described below. Brackets indicate that a parameter is optional. For non-list parameters the value is set to the specified default.

The file is read upon every http request, such as any change in the configuration and the certificates is picked up immediately.

Generic placeholders are defined as follows:

  • <boolean>: a boolean that can take the values true or false
  • <filename>: a valid path in the current working directory
  • <secret>: a regular string that is a secret, such as a password
  • <string>: a regular string
  1. tls_server_config:
  2. # Certificate and key files for server to use to authenticate to client.
  3. cert_file: <filename>
  4. key_file: <filename>
  5. # Server policy for client authentication. Maps to ClientAuth Policies.
  6. # For more detail on clientAuth options:
  7. # https://golang.org/pkg/crypto/tls/#ClientAuthType
  8. #
  9. # NOTE: If you want to enable client authentication, you need to use
  10. # RequireAndVerifyClientCert. Other values are insecure.
  11. [ client_auth_type: <string> | default = "NoClientCert" ]
  12. # CA certificate for client certificate authentication to the server.
  13. [ client_ca_file: <filename> ]
  14. # Minimum TLS version that is acceptable.
  15. [ min_version: <string> | default = "TLS12" ]
  16. # Maximum TLS version that is acceptable.
  17. [ max_version: <string> | default = "TLS13" ]
  18. # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  19. # Go default cipher suites are used. Available cipher suites are documented
  20. # in the go documentation:
  21. # https://golang.org/pkg/crypto/tls/#pkg-constants
  22. #
  23. # Note that only the cipher returned by the following function are supported:
  24. # https://pkg.go.dev/crypto/tls#CipherSuites
  25. [ cipher_suites:
  26. [ - <string> ] ]
  27. # prefer_server_cipher_suites controls whether the server selects the
  28. # client's most preferred ciphersuite, or the server's most preferred
  29. # ciphersuite. If true then the server's preference, as expressed in
  30. # the order of elements in cipher_suites, is used.
  31. [ prefer_server_cipher_suites: <bool> | default = true ]
  32. # Elliptic curves that will be used in an ECDHE handshake, in preference
  33. # order. Available curves are documented in the go documentation:
  34. # https://golang.org/pkg/crypto/tls/#CurveID
  35. [ curve_preferences:
  36. [ - <string> ] ]
  37. http_server_config:
  38. # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  39. # This can not be changed on the fly.
  40. [ http2: <boolean> | default = true ]
  41. # List of headers that can be added to HTTP responses.
  42. [ headers:
  43. # Set the Content-Security-Policy header to HTTP responses.
  44. # Unset if blank.
  45. [ Content-Security-Policy: <string> ]
  46. # Set the X-Frame-Options header to HTTP responses.
  47. # Unset if blank. Accepted values are deny and sameorigin.
  48. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  49. [ X-Frame-Options: <string> ]
  50. # Set the X-Content-Type-Options header to HTTP responses.
  51. # Unset if blank. Accepted value is nosniff.
  52. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
  53. [ X-Content-Type-Options: <string> ]
  54. # Set the X-XSS-Protection header to all responses.
  55. # Unset if blank.
  56. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
  57. [ X-XSS-Protection: <string> ]
  58. # Set the Strict-Transport-Security header to HTTP responses.
  59. # Unset if blank.
  60. # Please make sure that you use this with care as this header might force
  61. # browsers to load Prometheus and the other applications hosted on the same
  62. # domain and subdomains over HTTPS.
  63. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
  64. [ Strict-Transport-Security: <string> ] ]
  65. # Usernames and hashed passwords that have full access to the web
  66. # server via basic authentication. If empty, no basic authentication is
  67. # required. Passwords are hashed with bcrypt.
  68. basic_auth_users:
  69. [ <string>: <secret> ... ]

Gossip Traffic

To specify whether to use mutual TLS for gossip, use the --cluster.tls-config flag.

The server and client sides of the gossip are configurable.

  1. tls_server_config:
  2. # Certificate and key files for server to use to authenticate to client.
  3. cert_file: <filename>
  4. key_file: <filename>
  5. # Server policy for client authentication. Maps to ClientAuth Policies.
  6. # For more detail on clientAuth options:
  7. # https://golang.org/pkg/crypto/tls/#ClientAuthType
  8. [ client_auth_type: <string> | default = "NoClientCert" ]
  9. # CA certificate for client certificate authentication to the server.
  10. [ client_ca_file: <filename> ]
  11. # Minimum TLS version that is acceptable.
  12. [ min_version: <string> | default = "TLS12" ]
  13. # Maximum TLS version that is acceptable.
  14. [ max_version: <string> | default = "TLS13" ]
  15. # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  16. # Go default cipher suites are used. Available cipher suites are documented
  17. # in the go documentation:
  18. # https://golang.org/pkg/crypto/tls/#pkg-constants
  19. [ cipher_suites:
  20. [ - <string> ] ]
  21. # prefer_server_cipher_suites controls whether the server selects the
  22. # client's most preferred ciphersuite, or the server's most preferred
  23. # ciphersuite. If true then the server's preference, as expressed in
  24. # the order of elements in cipher_suites, is used.
  25. [ prefer_server_cipher_suites: <bool> | default = true ]
  26. # Elliptic curves that will be used in an ECDHE handshake, in preference
  27. # order. Available curves are documented in the go documentation:
  28. # https://golang.org/pkg/crypto/tls/#CurveID
  29. [ curve_preferences:
  30. [ - <string> ] ]
  31. tls_client_config:
  32. # Path to the CA certificate with which to validate the server certificate.
  33. [ ca_file: <filepath> ]
  34. # Certificate and key files for client cert authentication to the server.
  35. [ cert_file: <filepath> ]
  36. [ key_file: <filepath> ]
  37. # Server name extension to indicate the name of the server.
  38. # http://tools.ietf.org/html/rfc4366#section-3.1
  39. [ server_name: <string> ]
  40. # Disable validation of the server certificate.
  41. [ insecure_skip_verify: <boolean> | default = false]

This documentation is open-source. Please help improve it by filing issues or pull requests.