Secure way to acess PMM

Percona Monitoring and Management (PMM) PMM 2.x
1

Hello all,

After some time testing the PMM it’s time to migrate our monitoring to it.

I’m trying to find the best way to access/secure the Instance. For now, it will be a docker setup on one server.

I have found how to do it with reverse proxy (So I can get the SSL automatically) but here is the issue now:

  1. I had in mind that I’ll allow the ips from hosts to access the PMM Server + our VPN exit nodes. With this way though, we cannot access the PMM outside the VPN Network (meaning from mobile phones to check an alert when there is no laptop access). Also, SSL will not be able to automatically renew.

  2. Do you consider leaving ports 443 & 80 (For SSL renew and remote acces) open to 0.0.0.0/0 a safe approach? Of course, passwords will be strong in that case, but I cannot find anyhing more to secure the access on HTTPS level (2 step auth etc).

The last resort is to manually update SSL certificates and continue with solution 1. Any ideas or recommendations are welcome!

2

This is overhead you don’t need. PMM already has SSL capabilities. It comes with self-generated SSL certs, or you can generate and use your own directly with PMM. Check our docs for instructions.

Yes, that is typical. However, every mobile/smart phone out there is capable of connecting to VPNs.

Additionally, since PMM is based on Grafana, PMM fully supports OAuth logins (ie: Google, Duo, Okta, etc) Configure generic OAuth2 authentication | Grafana documentation

3

Thank you for your input on this one.

Yes I have already installed SSL Certs, I’ll check it out this way than (without the reverse proxy). I though OAuth is not supported, thanks for clearing things out!