Quick Start
Requirements: Java 17 or newer
Installation
Download the latest proxy and agent JAR files from the GitHub Releases page.
JARs are generated in build/libs/:
build/libs/prometheus-proxy.jarbuild/libs/prometheus-agent.jar
Start the Proxy
The proxy runs outside the firewall alongside your Prometheus server.
Start the Agent
The agent runs inside the firewall with your monitored services. It needs a configuration file that specifies which metrics endpoints to expose.
Create an Agent Config
Create a file called agent.conf:
agent {
proxy.hostname = "proxy-host.example.com"
pathConfigs: [
{
name: "My App metrics"
path: my_app_metrics
url: "http://localhost:9100/metrics"
}
]
}
Each entry in pathConfigs maps:
path-- the URL path on the proxy that Prometheus will scrapeurl-- the actual metrics endpoint the agent will fetch from
Start the Agent
Or specify the proxy hostname on the command line:
Configure Prometheus
Add scrape targets pointing to the proxy:
scrape_configs:
- job_name: 'my-app'
metrics_path: '/my_app_metrics'
static_configs:
- targets: ['proxy-host.example.com:8080']
The metrics_path must match the path value in the agent's pathConfigs.
Verify
Check that metrics are flowing through the proxy:
Multiple Endpoints
An agent can serve multiple metrics endpoints. Each gets its own path on the proxy:
agent {
pathConfigs: [
{
name: "App1 metrics"
path: app1_metrics
url: "http://app1.local:9100/metrics"
},
{
name: "App2 metrics"
path: app2_metrics
url: "http://app2.local:9100/metrics"
},
{
name: "App3 metrics"
path: app3_metrics
url: "http://app3.local:9100/metrics"
}
]
}
The corresponding Prometheus configuration:
scrape_configs:
- job_name: 'app1'
metrics_path: '/app1_metrics'
static_configs:
- targets: ['proxy-host.example.com:8080']
- job_name: 'app2'
metrics_path: '/app2_metrics'
static_configs:
- targets: ['proxy-host.example.com:8080']
- job_name: 'app3'
metrics_path: '/app3_metrics'
static_configs:
- targets: ['proxy-host.example.com:8080']
Authentication
When Prometheus scrape configs include basic_auth or bearer_token, the proxy forwards the
Authorization header to the agent, which includes it when fetching from the target endpoint.
scrape_configs:
# Bearer token authentication
- job_name: 'app1'
metrics_path: '/app1_metrics'
bearer_token: 'eyJhbGciOiJIUzI1NiIs...'
static_configs:
- targets: ['proxy-host.example.com:8080']
# Basic auth
- job_name: 'app2'
metrics_path: '/app2_metrics'
basic_auth:
username: 'user'
password: 's3cr3t'
static_configs:
- targets: ['proxy-host.example.com:8080']
# No auth
- job_name: 'app3'
metrics_path: '/app3_metrics'
static_configs:
- targets: ['proxy-host.example.com:8080']
Enable TLS for auth forwarding
Without TLS, authorization headers are transmitted in plaintext between proxy and agent. See Security for TLS setup instructions.
Next Steps
-
Agent Configuration
All agent settings including path configs, HTTP client, and scrape options
-
Proxy Configuration
All proxy settings including HTTP service, gRPC, and service discovery
-
Docker Usage
Production Docker setups and docker-compose examples
-
Security & TLS
Secure the proxy-agent connection with TLS and mutual authentication