API proxy for aNag notifications

gschoenberger · April 24, 2019, 10:05am

Hi there,

we want to receive notifications on our mobile phones via aNag android app.
With icinga/nagios we used the cgi-bin interface but with icinga2 we want to use the icinga2 API.

As our icinga2 instance is only accessible over a load balancer, I want to proxy pass the requests.
E.g. monitoring.example.com/api -> proxy pass -> icinga.example.com:5665

Currently our API has the automatically generated, self signed certificates.

As I don’t need certificates/TLS, is there any change to use the API with http and not htttps? -> our https is done at load balancer (nginx) level.

THX, Georg

dnsmichi · April 24, 2019, 10:10am

Hi,

please create new topics for new questions. I’ve split this from the old topic.

HTTPS is enforced by the Icinga 2 REST API, there’s no support for http inside the code. What’s the problem with proxying those requests, do you have concrete configuration samples?

Cheers,
Michael

gschoenberger · April 24, 2019, 10:18am

OK, then I will test to directly proxy those requests.

I assume I can replace these certs with my own?
/var/lib/icinga2/certs# ls
total 32
drwx------ 2 nagios nagios 4096 Apr 23 16:57 .
drwxr-x— 5 nagios nagios 12288 Apr 24 12:12 …
-rw-r–r-- 1 nagios nagios 1720 Sep 27 2018 ca.crt
-rw-r–r-- 1 nagios nagios 1777 Sep 27 2018 monitoring.crt
-rw-r–r-- 1 nagios nagios 1671 Sep 27 2018 monitoring.csr
-rw------- 1 nagios nagios 3243 Sep 27 2018 monitoring.key

blakehartshorn · April 24, 2019, 10:43am

Although I haven’t tried it, I think that would break every endpoint you currently have.

You should be able to use Icinga’s certs for an https reverse proxy so your load balancer can verify it. I haven’t tried it (but now I want to). For example, here’s how it’s done in Nginx’s documentation. Your product may vary.

dnsmichi · April 24, 2019, 10:59am

Replacing the CA key pair and as such, the different signed certificates will break the trust between cluster endpoints. If you don’t have any nor don’t have plans, you can use your own company CA, but you’re on your own with that. See the discussion here: Own CA for Icinga Cluster/API communication?

My question still stands: How does the current Nginx config look like which terminates TLS up front and should proxy the requests towards Icinga?

Cheers,
Michael