Is there an easy way to add a prefix to all the Actuator endpoints?
/env -> /secure/env
/health -> /secure/health
/info -> /secure/info
...
Jesper's answer is completely right, but I was looking for a more straightforward way of prefixing all endpoints, and it can be done with management.context-path, e.g.:
management:
context-path: /secure
-> /secure/env
-> /secure/health
...
According to current Spring-Boot documentation, the property to change is:
management.endpoints.web.base-path=/secure
Set the properties endpoints.{name}.path in your application.properties. For example:
endpoints.actuator.path=/secure/actuator
endpoints.env.path=/secure/env
endpoints.health.path=/secure/health
endpoints.info.path=/secure/info
To enable security on an endpoint, set endpoints.{name}.sensitive to true. For example:
endpoints.health.sensitive=true
See also Securing sensitive endpoints, Actuator Security and HTTP health endpoint access restrictions in the Spring Boot reference documentation if you want to secure the actuator endpoints of your application.
See Common application properties in the Spring Boot reference documentation for a list of common properties that you can set in application.properties.
Related
I am using spring boot 2.0.4 and want to expose my actuator endpoints. When adding the following to application.yml only info, health are being exposed.
management:
endpoints:
web:
exposure:
include: "*"
When I run http://localhost:8080/actuator I get
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"info":{"href":"http://localhost:8080/actuator/info","templated":false}}}
Spring Boot 2.0 takes a slightly different approach to ensure web endpoints security. The majority of Web endpoints are now disabled by default (Only the /health and /info endpoints are exposed) and the management.security.enabled property has been removed. There is no longer a separate security auto-configuration for the Actuator, individual endpoints may be enabled/disabled and/or exposed via configuration in the application.properties file. For example:
# disable beans endpoint
management.endpoints.beans.enabled=false
# expose all endpoints:
management.endpoints.web.exposure.include=*
See additional info Spring official documentation: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide#endpoints
On my application.properties i have endpoints.enabled=false and also endpoints.health.enabled=false but still the /health endpoint is not getting suppressed.
Maybe you are missing the first level of the properties.
The properties should be configured like this, to disable all endpoints
management.endpoints.enabled-by-default= false
if you only want to disable the health endpoint than use this property:
management.endpoint.health.enabled=false
I think the issues here could be the version of Sprint Boot being used. 1.5.x has different properties to 2.0.x.
Spring Boot 2.0.x
management.endpoints.enabled-by-default=false
management.endpoint.health.enabled=false
management.endpoint.info.enabled=true
Spring Boot 1.5.x
endpoints.enabled=false
endpoint.health.enabled=false
endpoint.info.enabled=true
Please also note that when enabling endpoints you use plural ("endpoints") but when enabling a specific endpoint you use a singlton ("endpoint").
I need to set a prefix for my controllers: /api. But this shouldn't impact the actuator endpoints eg /health. I know you can set the server.context-path but this will also impact the actuator endpoints. I know i can also put an annotation on each controller, but this could easily lead to problems when some other developer forgets it. So is there an easy way to have this prefix on each custom controller but not the spring boot actuator endpoints? Don't really car if it is with java config or some property that i haven't found yet.
Thanks
In spring boot app I set e.g. server.context-path=/mymodule. This is convenient because I don't need to repeat over and over again /mymodule prefix in #RequestMapping.
Further I want to have actuator endpoints grouped together on URLs with common prefix so I set management.context-path=/actuator.
Now actuator endpoint are mapped to /mymodule/actuator.
From security perspective I want to have actuator endpoints mapped to /actuator. Simple config on reverse proxy https://mydomain/api/mymodule -> http://oneofmyserver:port/mymodule protects that end users would not be able to access actuator.
Is it possible to map actuator endpoints to /actuator?
Probably better solution from security perspective is to export actuator on totally different port. To do it just add such properties:
management.port=9080
You can also just change context-path of actuator endpoints by using
management.context-path=/actuator
You can use the management.endpoints.web.base-path property to change the prefix for your management endpoint. Reference from spring-boot document.
The following example remaps /actuator/health to /healthcheck;
management.endpoints.web.base-path=/
management.endpoints.web.path-mapping.health=healthcheck
In case of you aren't able to use different ports and you have, for example, eureka in you environment, you can use the following:
Configure additional metadata, that you send to eureka. Simply by adding there some parameter with value of your context-path. spring docs
Configure Prometheus for using Eureka.
After that you will get an access to your custom meta-data
Finally you can use these new parameters in a relabeling step.
I'm trying to implement Spring Boot Actuator on a non "Boot Application", is there a way to configure a pattern to endpoints like endpoint/health,endpoint/metrics? Then I'll create a second realm in my existing Spring Security configuration, I tried the documentation but I could not find a thing about.
Thanks.
Did you mean management.contextPath=/endpoint (docs here)?