From 56ec19d2da0fd1050d39df2a523e1671ea2b95c1 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Wed, 22 Apr 2026 19:41:18 -0400 Subject: [PATCH] doc: document metrics TLS and mTLS Signed-off-by: Xe Iaso --- docs/docs/CHANGELOG.md | 1 + docs/docs/admin/policies.mdx | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 785dfa03..d1bd4935 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193)) - Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394)) - Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)). +- Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls). ## v1.25.0: Necron diff --git a/docs/docs/admin/policies.mdx b/docs/docs/admin/policies.mdx index 37998948..06de8dd8 100644 --- a/docs/docs/admin/policies.mdx +++ b/docs/docs/admin/policies.mdx @@ -138,6 +138,39 @@ metrics: socketMode: "0700" # must be a string ``` +### TLS + +If you want to serve the metrics server over TLS, use the `tls` block: + +```yaml +metrics: + bind: ":9090" + network: "tcp" + + tls: + certificate: /path/to/tls.crt + key: /path/to/tls.key +``` + +The certificate and key will automatically be reloaded when the respective files change. + +### mTLS + +If you want to validate requests to ensure that they use a client certificate signed by a certificate authority (mutual TLS or mTLS), set the `ca` value in the `tls` block: + +```yaml +metrics: + bind: ":9090" + network: "tcp" + + tls: + certificate: /path/to/tls.crt + key: /path/to/tls.key + ca: /path/to/ca.crt +``` + +As it is not expected for certificate authority certificates to change often, the CA certificate will NOT be automatically reloaded when the respective file changes. + ## Imprint / Impressum support Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.