Jef Practise: Adding basic auth to Sensu Agent events api for use with external services

The Sensu agent event api is currently my preferred way to have 3rd party services generate sensu events in an adhoc fashion. I personally use this pattern with some particle.io event based webhooks to generate alerts and metrics from my collection of particle devices. My latest project is smart current sensor for the invisible dog fence around my yard and I hacked together to alert me when there is a break in the line. But I digress…

There is one significant catch, the Sensu agent events api doesn’t provide any sort of auth, so exposing it directly to the internet for a 3rd party service to use…is not advisable.

The Sensu agent is configured by default to enable the events api socket only for localhost connections on 127.0.0.1, this provides a default compromise to allow local applications to send events into the Sensu pipeline using the agent, but doesn’t open up the agent for abuse by hosts on the external network.

But i need to open it up, for external cloud services, the way I do this is by using an nginx reverse proxy to forward to my Sensu agent , that has basic auth enabled.

You’ll want your nginx configuration to do 3 things:

  1. Use https inbound connections, with appropriately signed certs. My use case self-signed certs are fine. We need this to ensure the http auth credentials are not passed in clear text over the internet
  2. proxy_pass to the sensu agent http event api running on localhost
  3. require http basic auth

:construction: I’ll add a link to a santized nginx config :construction:

For people using Sensu agent in AWS, there is also a similar pattern using AWS Lambda to provide basic auth. The configuration requirements are a little different, in that you’ll have to open up the agent running in AWS to allow external inbound traffic. In the Lambda pattern, you’ll rely on AWS’s network security policy to prevent access to the naked Sensu Agent. It’s a little more complicated, but I just mention it as an alternative for those with access to Lambda like function as a service capabilities.

2 Likes