CORS consistent behavior

[freignat91]

I use nginx to reverse proxy prometheus requests.

Using the url http://localhost:9090/api/v1/...no-matter
I got CORS headers in answer and don't have to handle them in nginx

Using the url http://localhost:9090/metrics
I don't get CORS headers in answer and have to handle them in nginx

It's not critical. It's oblige me to handle prometheus reverse proxy with two different nginx locations, it's a not consistent behavior from prometheus, i find very interesting and well done by the way :)

[juliusv]

@freignat91 Can you explain your use case for wanting CORS headers on the /metrics endpoint? Are you scraping it via AJAX from a web UI or something? That's the reason why the /api/... endpoints have CORS headers enabled, in order for tools like Grafana to be able to query them. But /metrics is usually only consumed by another Prometheus, which doesn't require CORS.

[freignat91]

The use case is:
We are using prometheus inside a private network after a reverse proxy. The UI which use prometheus API use a web server also after the reverse proxy, but use a different url then the UI needs CORS to be able to use the prometheus API. The UI is Angular 4 one and yes, access to prometheus API through AJAX.
We use /metrics to get all the prometheus sources with there parameters. I don't see another way to get them and the UI need to know them. Sources can be added or deleted, the list isn't static in our case.

[juliusv]

@freignat91 Hmm, I'm having trouble understanding some of that, sorry.

The UI is Angular 4 one and yes, access to prometheus API through AJAX.

So yeah, that part should be fine, since the normal Prometheus API already sets CORS headers.

We use /metrics to get all the prometheus sources with there parameters.

What do you mean with "sources" and "parameters"? Do you mean "metrics" and "labels"? I'm still trying to figure out for which purpose you are querying /metrics directly from JS instead of doing everything via normal API queries?

[freignat91]

I mean by 'sources' the prometheus clients, the products which compute metrics as NATS, ETCD, Haproxy, in our case, using or not exporter and I mean by 'parameters' the name of the metrics at prometheus disposal, their type (instant, range,...) and their parameters. All information i got using .../metrics url
The issue i saw is that the request i execute to extract data using url /api/v1 work perfectly because prometheus manage the CORS header, but only the /metrics url request dont manager CORS header.
Perhaps there is another way to get the sources metrics information i need which doesn't use the /metrics url, but i didn't see it for now.
if i execute the request localhost:9090/metrics locally by hand in order to don't need CORS i got result as:

...
prometheus_target_sync_length_seconds{scrape_job="etcd",quantile="0.05"} 1.2224e-05
prometheus_target_sync_length_seconds{scrape_job="etcd",quantile="0.5"} 2.0028e-05
prometheus_target_sync_length_seconds{scrape_job="etcd",quantile="0.9"} 3.0761e-05
prometheus_target_sync_length_seconds{scrape_job="etcd",quantile="0.99"} 5.9297e-05
prometheus_target_sync_length_seconds_sum{scrape_job="etcd"} 0.0011439859999999994
prometheus_target_sync_length_seconds_count{scrape_job="etcd"} 43
prometheus_target_sync_length_seconds{scrape_job="haproxy",quantile="0.01"} 1.3819e-05
prometheus_target_sync_length_seconds{scrape_job="haproxy",quantile="0.05"} 1.3819e-05
prometheus_target_sync_length_seconds{scrape_job="haproxy",quantile="0.5"} 2.1152e-05
prometheus_target_sync_length_seconds{scrape_job="haproxy",quantile="0.9"} 4.6845e-05 

I use it to know which metrics are requestable in prometheus and i can't execute such request from the UI because of CORS

[juliusv]

I see. You can just use the API under /api/v1/... to get the same information.

For example, to get all metric names in a Prometheus server:

http://demo.robustperception.io:9090/api/v1/label/__name__/values

Or to get all series that match a certain matcher in a Prometheus server (in this case, {job="node"}):

http://demo.robustperception.io:9090/api/v1/series?match[]={job=%22node%22}

You can even constrain that by time range if you want (see https://prometheus.io/docs/querying/api/#finding-series-by-label-matchers).

In conclusion, I don't think we want to add CORS headers to the /metrics endpoints as you can get all the necessary information through the API and we only want to add CORS headers to endpoints that really need them. So I'm closing this here.

[freignat91]

ok, thanks very much

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.