Monitorix SSL

[Sheratan]

So @Tracy Perry mentioned some monitoring program named Monitorix.

I try to install Monitorix in my Debian PC, this PC is my server replica. The installation is smooth, using izzy APT. The problem is, I can't access Monitorix in 8080, because it always redirect to HTTPS. FYI, my site is running HTTPS (nginx).

So, why, nginx, who is running in 80 and 443, is redirecting monitorix access in 8080 to https?

 

[TPerry]

So @Tracy Perry mentioned some monitoring program named Monitorix.

I try to install Monitorix in my Debian PC, this PC is my server replica. The installation is smooth, using izzy APT. The problem is, I can't access Monitorix in 8080, because it always redirect to HTTPS. FYI, my site is running HTTPS (nginx).

So, why, nginx, who is running in 80 and 443, is redirecting monitorix access in 8080 to https?

You need to set up a proxy for it.
I set up a subdomain for it and created a vhost just for it on my Debian servers (on my CentOS ones I just did it as an include in the main vhost).

server {
# ipv4
listen 80;
# ipv6
listen [::]:80;
    server_name monitorix.yourdomain.com;


    error_log /var/log/nginx/stats-error.log warn;
    access_log /var/log/nginx/stats-access.log;
    root /var/lib/monitorix/www;
    #end changes needed to begin

location /monitorix {
   auth_basic "Restricted";
   auth_basic_user_file /etc/monitorix/monitorix-users;

    include proxy_params;
    proxy_pass          http://localhost:8080/monitorix;
    allow               127.0.0.0/8;

    # for old versions up to 3.4.0
#    location ~* \.png$ {
#       root /usr/share;
#    }

    # since 3.5.0 version
    location ~ ^/monitorix/(.+\.png)$ {
        alias /var/lib/monitorix/www/$1;
    }
}

}

 

[Sheratan]

I know I need to setup a proxy for it.

I just wanted to know why nginx is redirecting 8080 to https, event nginx is not listening in 8080?

 

[TPerry]

I know I need to setup a proxy for it.

I just wanted to know why nginx is redirecting 8080 to https, event nginx is not listening in 8080?

nginx isn't listening at 8080, the HTTP server for monitorix is.

 

[Sheratan]

Well, in my case, all http request to 8080 is redirected to https://localhost:8080/monitorix

Even after I put accept_selfsigned_certs = n in monitorix.conf

What do I miss in here?

 

[TPerry]

Well, in my case, all http request to 8080 is redirected to https://localhost:8080/monitorix

Even after I put accept_selfsigned_certs = n in monitorix.conf

What do I miss in here?

Mine is not redirecting to an https site. It (using the setup I showed above) redirects to a non-https site (and my main site is https).
You will have to create a new DNS entry to duplicate the setup, and then go to it by http://monitorix.yourdomain.com (or whatever you change the monitorix to).

 

[Sheratan]

Trying to install in a fresh system...

502 Bad Gateway - NGINX

recv() failed (104: Connection reset by peer) while reading response header from upstream,

I guess I'm stick with cacti

 

[TPerry]

Trying to install in a fresh system...

502 Bad Gateway - NGINX

recv() failed (104: Connection reset by peer) while reading response header from upstream,

I guess I'm stick with cacti

Depends on your nginx setup. There is no PHP needed so just that simple process should work. You want to send me your vhost configs in a convo and I can take a quick look at them. It is probably something to do with your nginx setup.

 

[Sheratan]

/sites-available/mon

server {
    listen 80;
        server_name monitoring.localhost;

    error_log /var/log/nginx/stats-error.log warn;
    access_log /var/log/nginx/stats-access.log;
    root /var/lib/monitorix/www;
  
    location /monitorix {
    auth_basic "Staff Only";
    auth_basic_user_file /etc/monitorix/monitorix-users;

    include proxy_params;
        #proxy_pass          http://localhost:8080/monitorix;
    proxy_pass       http://unix:/var/run/php5-fpm.sock:8080/monitorix;
        allow               127.0.0.0/8;

        # for old versions up to 3.4.0
    #location ~* \.png$ {
    #root /usr/share;
    #}

        # since 3.5.0 version
        location ~ ^/monitorix/(.+\.png)$ {
        alias /var/lib/monitorix/www/$1;
        }
    }
}

/sites-available/default

server {
    listen 80;
    server_name localhost;
    return 301 https://localhost$request_uri;
    server_tokens off;
}

# HTTPS server
#
server {
    listen 443 ssl spdy default_server;
    server_name localhost;
    spdy_headers_comp 5;
  
    root /usr/share/nginx/html;
    index index.php index.html index.htm;
    server_tokens off;

    ssl on;
    ssl_certificate /myssl/ssl.pem;
    ssl_certificate_key /myssl/ssl.key;
    ssl_dhparam /myssl/dhparam.pem;
  
    ssl_session_timeout 10m;
  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:ECDHE-ECDSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA;
  
    add_header Strict-Transport-Security max-age=31536000;
  
    location / {
        try_files $uri $uri/ /index.php?$uri&$args;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param HTTPS on;
        fastcgi_param HTTP_SCHEME https;
        include fastcgi_params;
        try_files $uri $uri =404;
        fastcgi_read_timeout 600;
    }

    location ~ /\.ht {
        deny all;
    }

    error_page 404 /404.html;
    error_page 401 403 /401-403.html;
    error_page 504 /504.html;
    error_page 503 /503.html;

    location ~* \.(?:ico|jpe?g|gif|png|css|js|xml)(\?.+)?$ {    
        access_log    off;    
        log_not_found    off;    
        expires     1y;
    }

    location /internal_data/ {    
        internal;  
    }


    location /library/ {    
        internal;  
    }

    location /error_page/ {    
        internal;  
    }

    location  /404.html {
          internal;
    }

    location  /401-403.html {
          internal;
    }

    location  /504.html {
          internal;
    }
  
    location  /503.html {
          internal;
    }

    location /install {
                auth_basic "Staff Only";
                auth_basic_user_file /htpasswd;
        }
}

 

[TPerry]

I know this may sound silly... but did you put a host definition in for monitoring.localhost pointing to 127.0.0.1?

 

[Sheratan]

I know this may sound silly... but did you put a host definition in for monitoring.localhost pointing to 127.0.0.1?

This is really sound silly. I'm not a native english user. Care to explain what do you mean?

 

[TPerry]

This is really sound silly. I'm not a native english user. Care to explain what do you mean?

On your computer that you have the localhost setup installed (if a Linux box) in /etc you have a file called hosts

127.0.0.1 localhost
127.0.0.1 monitorix.localhost

needs to be in there at least. That way nginx knows that monitorix.localhost is a local vhost.

 

[Sheratan]

On your computer that you have the localhost setup installed (if a Linux box) in /etc you have a file called hosts

127.0.0.1 localhost
127.0.0.1 monitorix.localhost

needs to be in there at least. That way nginx knows that monitorix.localhost is a local vhost.

Oh. I have done that. I can call monitorix.localhost in my browser. I can see "Hostname", "Graph", "Daily", "Weekly" etc but after I click "Ok" I got 502 Gateway.

 

[TPerry]

Honestly, I haven't installed it on a localhost environment, so it may be something specific to that - or the way you have your nginx/php-fpm (and there are several different ways) configured.
My "localhost" testing environment consists of an actual VPS I have set out on my server.

 

[Sheratan]

Well, I gonna play it next time. But for now, cacti is my hero.

 

[MattW]

location /monitorix {
                include proxy_params;
                proxy_pass              http://127.0.0.1:8080/monitorix;
                allow           127.0.0.0/8;

                location ~* \.png$ {
                        root /usr/share;
                }
        }

You also need to set up some proxy parameters

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

[Sheratan]

Already trying using PHP port, still no luck.

proxy_params is already set like above.

 

[Sheratan]

Wait. What is the difference between

proxy_set_header Host $host;

proxy_set_header Host $http_host;

 

[MattW]

http://nginx.org/en/docs/http/ngx_http_proxy_module.html

An unchanged “Host” request header field can be passed like this:

proxy_set_header Host $http_host;

However, if this field is not present in a client request header then nothing will be passed. In such a case it is better to use the $host variable - its value equals the server name in the “Host” request header field or the primary server name if this field is not present:

proxy_set_header Host $host;

The settings I posted is what I used to get it working on my server, with the domain on HTTPS.

 

[TPerry]

The settings I posted is what I used to get it working on my server, with the domain on HTTPS.

What's weird is I didn't have to do anything with that on my Debian box.