Prometheus doesn't come with server-side security features out of the box, but there's many options out there to provide them.

I'll presume that you've already a Prometheus running locally on port 9090. There's many pieces of software that implement all the TLS features you could want, here I'm going to use Caddy. To start off download Caddy and configure it with a self-signed cert:

tar -xzf caddy_v*_linux_amd64.tar.gz
cat > Caddyfile << EOF
tls self_signed
proxy / localhost:9090
# Allow caddy to bind to 443.
sudo setcap cap_net_bind_service=+ep caddy

If you now visit (and bypass the security warning about the self-signed cert) you'll see Prometheus:

This is fine for local testing, but a real cert is needed for production. You can use Let's Encrypt for this, so change the configuration to use a real DNS working name:

cat > Caddyfile << EOF
# Put in your own domain and email address here.
proxy / localhost:9090
# -agree is to the CA's Terms and Conditions
./caddy -agree


And if you visit your website you'll see it's serving properly over HTTPS:

This isn't quite everything. Prometheus is probably still listening on all interfaces, allowing bypassing of Caddy. You can pass --web.listen-address=localhost:9090 to Prometheus to have it only listen locally. Another issue is that Prometheus doesn't know about the proper URL to use in alerts etc., which in this example can be handled with --web.external-url=


Need help securing Prometheus? Contact us.