Skip to main content

Metrics Settings

This reference covers all of Pomerium's Metrics Settings:

Metrics Address

Metrics Address exposes a Prometheus endpoint on the specified port.

danger

Use with caution: the endpoint can expose frontend and backend server names or addresses. Do not externally expose the metrics if this is sensitive information.

How to configure

Config file keysEnvironment variablesTypeUsageDefault
metrics_addressMETRICS_ADDRESSstringoptionaldisabled

Examples

# config file key
metrics_address: :9090

# environment variable
METRICS_ADDRESS: 127.0.0.1:9090

Pomerium Metrics Tracked

Each metric exposed by Pomerium has a pomerium prefix, which is omitted in the table below for brevity.

NameTypeDescription
build_infoGaugePomerium build metadata by git revision, service, version and go version
config_checksum_int64GaugeCurrently loaded configuration checksum by service
config_last_reload_successGaugeWhether the last configuration reload succeeded by service
config_last_reload_success_timestampGaugeThe timestamp of the last successful configuration reload by service
grpc_client_request_duration_msHistogramGRPC client request duration by service
grpc_client_request_size_bytesHistogramGRPC client request size by service
grpc_client_requests_totalCounterTotal GRPC client requests made by service
grpc_client_response_size_bytesHistogramGRPC client response size by service
grpc_server_request_duration_msHistogramGRPC server request duration by service
grpc_server_request_size_bytesHistogramGRPC server request size by service
grpc_server_requests_totalCounterTotal GRPC server requests made by service
grpc_server_response_size_bytesHistogramGRPC server response size by service
http_client_request_duration_msHistogramHTTP client request duration by service
http_client_request_size_bytesHistogramHTTP client request size by service
http_client_requests_totalCounterTotal HTTP client requests made by service
http_client_response_size_bytesHistogramHTTP client response size by service
http_server_request_duration_msHistogramHTTP server request duration by service
http_server_request_size_bytesHistogramHTTP server request size by service
http_server_requests_totalCounterTotal HTTP server requests handled by service
http_server_response_size_bytesHistogramHTTP server response size by service
storage_operation_duration_msHistogramStorage operation duration by operation, result, backend and service

Identity Manager

Identity manager metrics have a pomerium_identity_manager prefix.

NameTypeDescription
last_refresh_timestampGaugeTimestamp of last directory refresh operation.
session_refresh_error_timestampGaugeTimestamp of last session refresh ended in an error.
session_refresh_errorsCounterSession refresh error counter.
session_refresh_successCounterSession refresh success counter.
session_refresh_success_timestampGaugeTimestamp of last successful session refresh.
user_group_refresh_error_timestampGaugeTimestamp of last user group refresh ended in an error.
user_group_refresh_errorsCounterUser group refresh error counter.
user_group_refresh_successCounterUser group refresh success counter.
user_group_refresh_success_timestampGaugeTimestamp of last group successful user refresh.
user_refresh_error_timestampGaugeTimestamp of last user refresh ended in an error.
user_refresh_errorsCounterUser refresh error counter.
user_refresh_successCounterUser refresh success counter.
user_refresh_success_timestampGaugeTimestamp of last successful user refresh.

Envoy Proxy Metrics

As of v0.9, Pomerium uses Envoy for the data plane. As such, proxy related metrics are sourced from Envoy, and use Envoy's internal stats data model. Please see Envoy's documentation for information about specific metrics.

All metrics coming from Envoy will be labeled with service="pomerium" or service="pomerium-proxy", depending if you're running all-in-one or distributed service mode and have pomerium prefix added to the standard envoy metric name.

See Configuration & Settings for more information configuration environments.

Metrics Basic Authentication

Metrics Basic Authentication requires Basic HTTP Authentication to access the metrics endpoint.

To support this in Prometheus, consult the basic_auth option in the scrape_config documentation.

How to configure

Config file keysEnvironment variablesTypeUsage
metrics_basic_authenticationMETRICS_BASIC_AUTHENTICATIONstring (base64 encoded)optional

Examples

# for username: x and password: y
metrics_basic_authentication: eDp5

METRICS_BASIC_AUTHENTICATION=eDp5

Metrics Certificate

Metrics Certificate uses a certificate to secure the metrics endpoint.

A Certificate is an X.509 public-key and private-key pair.

Note:

All certificates supplied to Pomerium must be in PEM format.

How to configure

Config file keysEnvironment variablesTypeUsage
metrics_certificate and metrics_certificate_keyMETRICS_CERTIFICATE and METRICS_CERTIFICATE_KEYstringoptional
metrics_certificate_file and metrics_certificate_key_fileMETRICS_CERTIFICATE_FILE and METRICS_CERTIFICATE_KEY_FILEstringoptional

Examples

# config file key
metrics_certificate: base64-encoded-string
metrics_certificate_key: base64-encoded-string

# environment variable
METRICS_CERTIFICATE_FILE=/relative/file/location
METRICS_CERTIFICATE_FILE_KEY=/relative/file/location

Metrics Client Certificate Authority

Metrics Client Certificate Authority is the X.509 public-key used to validate mTLS client certificates for the metrics endpoint. If not set, no client certificate will be required.

How to configure

Config file keysEnvironment variablesTypeUsage
metrics_client_ca and metrics_client_ca_fileMETRICS_CLIENT_CA and METRICS_CLIENT_CA_FILEstringoptional

Examples

# config file key
metrics_client_ca: base64-encoded-string

# environment variable
METRICS_CLIENT_CA_FILE=/relative/file/location