Http_listener in telegraf & data security

I’m trying to modify my existing setup by having my IoT devices send data to Telegraf rather than InflxuxDB directly, as per this post.

I see that I can have a single [http_listener] input and then use a tag in the incoming data and the measurement filtering options in the output to let me send data to multiple different databases.

However, I’m left with 1 problem…
In my existing setup (no Telegraf, just InfluxDB) it is easy for me to create different write-access users for the different InfluxDB databases, and then have the IoT devices use these separate authentication credentials. Therefore, all the units sending data to Database1 will be using credentials that won’t work for Database2, and visa versa, giving me a further level of segregation and security.

But when I use the http_listener plugin in Telegraf, I will only have 1 username & password for the listener. Which means I cannot split up my IoT devices (so some only have permission to write to Database1, and some to Datbase2) - anyone who knows the http_listener credentials will be able to send data to any database, as long as they use the correct tag, which I’d like to avoid.

Is it best to have multiple http_listeners listening on different ports with different credentials, and then have my IIS frontend redirect the incoming data? eg https://mywebsite/project1/write. Or does anyone have any ideas of a better way to do it please?

It might be worth using nginx or another proxy on the edge to do authentication:

internet -> nginx -> telegrafs -> influxdb

This could allow you to listen only on :443 but split the requests out to several http_listener inputs, which I think you will need in order to tag the data appropriately so that the output plugin can send to the correct database.

I’m open to implementing some new authentication methods on http_listener as well. Perhaps something similar to auth_basic_user_file, along with automatic tagging of the username would be appropriate?

Thanks, I seem to have it working well using match patterns and URL Rewrite in IIS (:443) and then the authentication in http_listener for now. I have a setup like this (the last line is a catch to deal with my previous direct-to-Influx implementation):

Pattern        Action URL
write/ep1      http://localhost:8020/write
write/ep2      http://localhost:8021/write
write(/)?(.*)  http://localhost:8086/{R:0}

  service_address = ":8200"
  read_timeout = "10s"
  write_timeout = "10s"
  basic_username = "ep1_user"
  basic_password = "ep1_pwd"
      source = "ep1_listener"
  urls = [""]
  precision = "ms"
  timeout = "10s"
  database = "mydb"
  username = "mydbuser"
  password = "mydbpwd"
      source = "ep1_listener"
1 Like