Icingaweb2 does not start with https

bgt8 · November 11, 2021, 7:52am

Dear everyone!

I installed an icinga2 monitoring system on a Centos8 system. It was installed well. I wanted to set Icingaweb2 to https, but I get the following message:

Backend unavailable

It seems that the PHP FPM service is not running. Make sure to start PHP FPM service in order to access Icinga Web 2. If you upgraded Icinga Web 2 recently, make sure to read the docs regarding PHP FPM, also locally available under /usr/share/icingaweb2/doc/02-Installation.md.

php-fm service is installed and running. The web interface starts without encryption.

httpd configuration file (icingaweb2-ssl.conf) what settings are recommended or possibly selinux error. In principle, I set up selinux well.

Thanks for help!

bgt8 · November 11, 2021, 7:56am

web2 starts with http, not just https, there is a certificate.

steaksauce · November 11, 2021, 6:35pm

Assuming that PHP FPM is installed/configured according to docs, we can move to the web server.

While creating the OP, it asked you for information reguard versions of various things like PHP, Webserver, Icinga2, Icingaweb2, etc, but none of that information is present.

Assuming you are using Apache or Nginx, you will need to make sure your config files are correct, and check the logs for whichever webserver you are using to see what is going on there.

If you suspect selinux is causing pain, you can quickly test with setenforce 0 to put SELinux in permissive mode (this does NOT disable selinux, but tells it to run, allowing things to happen as if it were disabled). If everything works there, then you will need to do some selinux troubleshooting. Here are some selinux troubleshooting tips

bgt8 · November 15, 2021, 9:14am

PHP 8.0.12 (cli)
Server version: Apache/2.4.37
Icinga2 - version: 2.13.2-1
Icingaweb2

steaksauce · November 15, 2021, 7:23pm

When you restart Apache (or run a config check), what’s the output?

bgt8 · November 16, 2021, 8:59am

I searched the apache config file from the internet to use https, in the meantime I found this file to be the source of the error. In this config i am not so used to it so i used one by one, of course correcting the data about me.

I took out the next part at the end of the config file and it already works.

= 2.4>
# Forward PHP requests to FPM
SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1
<FilesMatch “.php$”>
SetHandler “proxy:fcgi://127.0.0.1:9000”
ErrorDocument 503 /icingaweb2/error_unavailable.html

icingaweb2-ssl.conf:

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:80>
ServerName icinga.mydomain.com
Redirect permanent / https://icinga.mydomain.com/

ServerName icinga.mydomain.com DocumentRoot "/var/www/html" Alias /icingaweb2 "/usr/share/icingaweb2/public" ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/pki/tls/certs/yourcert.crt SSLCertificateKeyFile /etc/pki/tls/private/yourkey.key SSLCACertificateFile /etc/pki/tls/certs/yourca.crt SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    <IfVersion < 2.4>
            # Forward PHP requests to FPM
            SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
            <LocationMatch "^/icingaweb2/(.*\.php)$">
                    ProxyPassMatch "fcgi://127.0.0.1:9000/usr/share/icingaweb2/public/$1"
            </LocationMatch>
    </IfVersion>

    <Directory "/usr/share/icingaweb2/public">
            Options SymLinksIfOwnerMatch
            AllowOverride None

            DirectoryIndex index.php

            <IfModule mod_authz_core.c>
                    # Apache 2.4
                    <RequireAll>
                            Require all granted
                    </RequireAll>
            </IfModule>

            <IfModule !mod_authz_core.c>
                    # Apache 2.2
                    Order allow,deny
                    Allow from all
            </IfModule>

            SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

            EnableSendfile Off

            <IfModule mod_rewrite.c>
                    RewriteEngine on
                    RewriteBase /icingaweb2/
                    RewriteCond %{REQUEST_FILENAME} -s [OR]
                    RewriteCond %{REQUEST_FILENAME} -l [OR]
                    RewriteCond %{REQUEST_FILENAME} -d
                    RewriteRule ^.*$ - [NC,L]
                    RewriteRule ^.*$ index.php [NC,L]
            </IfModule>

            <IfModule !mod_rewrite.c>
                    DirectoryIndex error_norewrite.html
                    ErrorDocument 404 /icingaweb2/error_norewrite.html
            </IfModule>

            <IfVersion >= 2.4>
                    # Forward PHP requests to FPM
                    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
                    <FilesMatch "\.php$">
                            SetHandler "proxy:fcgi://127.0.0.1:9000"
                            ErrorDocument 503 /icingaweb2/error_unavailable.html
                    </FilesMatch>
            </IfVersion>
    </Directory>

bgt8 · November 16, 2021, 9:01am

It fell apart a bit, here is the page I bought it from:

https://doc.pegasi.fi/wiki/doku.php?id=icinga_apache_ssl