1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Monitorix SSL

Discussion in 'Server Configuration and Hosting' started by Sheratan, Sep 14, 2014.

  1. Sheratan

    Sheratan Well-Known Member

    So @Tracy Perry mentioned some monitoring program named Monitorix.

    I try to install Monitorix in my Debian PC, this PC is my server replica. The installation is smooth, using izzy APT. The problem is, I can't access Monitorix in 8080, because it always redirect to HTTPS. FYI, my site is running HTTPS (nginx).

    So, why, nginx, who is running in 80 and 443, is redirecting monitorix access in 8080 to https?
     
  2. Tracy Perry

    Tracy Perry Well-Known Member

    You need to set up a proxy for it.
    I set up a subdomain for it and created a vhost just for it on my Debian servers (on my CentOS ones I just did it as an include in the main vhost).
    Code:
    server {
    # ipv4
    listen 80;
    # ipv6
    listen [::]:80;
        server_name monitorix.yourdomain.com;
    
    
        error_log /var/log/nginx/stats-error.log warn;
        access_log /var/log/nginx/stats-access.log;
        root /var/lib/monitorix/www;
        #end changes needed to begin
    
    location /monitorix {
       auth_basic "Restricted";
       auth_basic_user_file /etc/monitorix/monitorix-users;
    
        include proxy_params;
        proxy_pass          http://localhost:8080/monitorix;
        allow               127.0.0.0/8;
    
        # for old versions up to 3.4.0
    #    location ~* \.png$ {
    #       root /usr/share;
    #    }
    
        # since 3.5.0 version
        location ~ ^/monitorix/(.+\.png)$ {
            alias /var/lib/monitorix/www/$1;
        }
    }
    
    }
     
    Sheratan likes this.
  3. Sheratan

    Sheratan Well-Known Member

    I know I need to setup a proxy for it.

    I just wanted to know why nginx is redirecting 8080 to https, event nginx is not listening in 8080?
     
  4. Tracy Perry

    Tracy Perry Well-Known Member

    nginx isn't listening at 8080, the HTTP server for monitorix is.
     
  5. Sheratan

    Sheratan Well-Known Member

    Well, in my case, all http request to 8080 is redirected to https://localhost:8080/monitorix

    Even after I put accept_selfsigned_certs = n in monitorix.conf :unsure:

    What do I miss in here?
     
  6. Tracy Perry

    Tracy Perry Well-Known Member

    Mine is not redirecting to an https site. It (using the setup I showed above) redirects to a non-https site (and my main site is https).
    You will have to create a new DNS entry to duplicate the setup, and then go to it by http://monitorix.yourdomain.com (or whatever you change the monitorix to).
     
  7. Sheratan

    Sheratan Well-Known Member

    Trying to install in a fresh system...

    502 Bad Gateway - NGINX

    Code:
    recv() failed (104: Connection reset by peer) while reading response header from upstream,
    :(

    I guess I'm stick with cacti
     
  8. Tracy Perry

    Tracy Perry Well-Known Member

    Depends on your nginx setup. There is no PHP needed so just that simple process should work. You want to send me your vhost configs in a convo and I can take a quick look at them. It is probably something to do with your nginx setup.
     
  9. Sheratan

    Sheratan Well-Known Member

    /sites-available/mon

    Code:
    server {
        listen 80;
            server_name monitoring.localhost;
    
        error_log /var/log/nginx/stats-error.log warn;
        access_log /var/log/nginx/stats-access.log;
        root /var/lib/monitorix/www;
      
        location /monitorix {
        auth_basic "Staff Only";
        auth_basic_user_file /etc/monitorix/monitorix-users;
    
        include proxy_params;
            #proxy_pass          http://localhost:8080/monitorix;
        proxy_pass       http://unix:/var/run/php5-fpm.sock:8080/monitorix;
            allow               127.0.0.0/8;
    
            # for old versions up to 3.4.0
        #location ~* \.png$ {
        #root /usr/share;
        #}
    
            # since 3.5.0 version
            location ~ ^/monitorix/(.+\.png)$ {
            alias /var/lib/monitorix/www/$1;
            }
        }
    }
    /sites-available/default

    Code:
    server {
        listen 80;
        server_name localhost;
        return 301 https://localhost$request_uri;
        server_tokens off;
    }
    
    # HTTPS server
    #
    server {
        listen 443 ssl spdy default_server;
        server_name localhost;
        spdy_headers_comp 5;
      
        root /usr/share/nginx/html;
        index index.php index.html index.htm;
        server_tokens off;
    
        ssl on;
        ssl_certificate /myssl/ssl.pem;
        ssl_certificate_key /myssl/ssl.key;
        ssl_dhparam /myssl/dhparam.pem;
      
        ssl_session_timeout 10m;
      
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:ECDHE-ECDSA-AES256-CBC-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA;
      
        add_header Strict-Transport-Security max-age=31536000;
      
        location / {
            try_files $uri $uri/ /index.php?$uri&$args;
        }
    
        location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param HTTPS on;
            fastcgi_param HTTP_SCHEME https;
            include fastcgi_params;
            try_files $uri $uri =404;
            fastcgi_read_timeout 600;
        }
    
        location ~ /\.ht {
            deny all;
        }
    
        error_page 404 /404.html;
        error_page 401 403 /401-403.html;
        error_page 504 /504.html;
        error_page 503 /503.html;
    
        location ~* \.(?:ico|jpe?g|gif|png|css|js|xml)(\?.+)?$ {    
            access_log    off;    
            log_not_found    off;    
            expires     1y;
        }
    
        location /internal_data/ {    
            internal;  
        }
    
    
        location /library/ {    
            internal;  
        }
    
        location /error_page/ {    
            internal;  
        }
    
        location  /404.html {
              internal;
        }
    
        location  /401-403.html {
              internal;
        }
    
        location  /504.html {
              internal;
        }
      
        location  /503.html {
              internal;
        }
    
        location /install {
                    auth_basic "Staff Only";
                    auth_basic_user_file /htpasswd;
            }
    }
    
     
  10. Tracy Perry

    Tracy Perry Well-Known Member

    I know this may sound silly... but did you put a host definition in for monitoring.localhost pointing to 127.0.0.1?
     
  11. Sheratan

    Sheratan Well-Known Member

    This is really sound silly. I'm not a native english user. Care to explain what do you mean? :D
     
  12. Tracy Perry

    Tracy Perry Well-Known Member

    On your computer that you have the localhost setup installed (if a Linux box) in /etc you have a file called hosts
    Code:
    127.0.0.1 localhost
    127.0.0.1 monitorix.localhost
    
    needs to be in there at least. That way nginx knows that monitorix.localhost is a local vhost.
     
  13. Sheratan

    Sheratan Well-Known Member

    Oh. I have done that. I can call monitorix.localhost in my browser. I can see "Hostname", "Graph", "Daily", "Weekly" etc but after I click "Ok" I got 502 Gateway.
     
  14. Tracy Perry

    Tracy Perry Well-Known Member

    Honestly, I haven't installed it on a localhost environment, so it may be something specific to that - or the way you have your nginx/php-fpm (and there are several different ways) configured.
    My "localhost" testing environment consists of an actual VPS I have set out on my server.
     
  15. Sheratan

    Sheratan Well-Known Member

    Well, I gonna play it next time. But for now, cacti is my hero.
     
  16. MattW

    MattW Well-Known Member

    Code:
    location /monitorix {
                    include proxy_params;
                    proxy_pass              http://127.0.0.1:8080/monitorix;
                    allow           127.0.0.0/8;
    
                    location ~* \.png$ {
                            root /usr/share;
                    }
            }
    You also need to set up some proxy parameters
    Code:
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     
  17. Sheratan

    Sheratan Well-Known Member

    Already trying using PHP port, still no luck.

    proxy_params is already set like above.
     
  18. Sheratan

    Sheratan Well-Known Member

    Wait. What is the difference between

    proxy_set_header Host $host;

    proxy_set_header Host $http_host;
     
  19. MattW

    MattW Well-Known Member

    http://nginx.org/en/docs/http/ngx_http_proxy_module.html

    An unchanged “Host” request header field can be passed like this:
    Code:
    proxy_set_header Host $http_host;
    However, if this field is not present in a client request header then nothing will be passed. In such a case it is better to use the $host variable - its value equals the server name in the “Host” request header field or the primary server name if this field is not present:
    Code:
    proxy_set_header Host $host;
    The settings I posted is what I used to get it working on my server, with the domain on HTTPS.
     
  20. Tracy Perry

    Tracy Perry Well-Known Member

    What's weird is I didn't have to do anything with that on my Debian box.
     

Share This Page