(Shared) web server for dashing-icinga2 and icingaweb2


(Marcel) #1

Question

How to configure a web server for dashing-icinga2? Can both, icingaweb2 and dashing-icinga2, be served via the same domain?

Requirements

All you need is a running web server, either nginx or apache2 / httpd and a dashing-icinga2 (https://github.com/dnsmichi/dashing-icinga2) instance listening on localhost:8005.

Implementation details

As long as there is just the default dashboard icinga2 there are just four locations to be “proxied” to the dashing-icinga2 instance:

  • /icinga2
  • /views/
  • /assets/
  • /events

Keep in mind to repeat the configuration for /icinga2 for each additional dashboard.

Apache2 configuration

Required modules

  • mod_ssl (if you want to encrypt the communication and use SSL)
  • mod_proxy
  • mod_proxy_http

Apache2 VirtualHost configuration snippet to extend existing configurations

This configuration snippet can be used to extend the existing configuration of your icingaweb2 VirtualHost configuration.

    <Location /icinga2>
        ProxyPass http://localhost:8005/icinga2
        ProxyPassReverse http://localhost:8005/icinga2
    </Location>

    <Location /assets/>
        ProxyPass http://localhost:8005/assets/
        ProxyPassReverse http://localhost:8005/assets/
    </Location>

    <Location /events>
        ProxyPass http://localhost:8005/events
        ProxyPassReverse http://localhost:8005/events
    </Location>

    <Location /views/>
        ProxyPass http://localhost:8005/views/
        ProxyPassReverse http://localhost:8005/views/
    </Location>

Standalone apache2 VirtualHost configuration

This configuration redirects all plain HTTP requests to HTTPS and redirects the user to the default dashboard icinga2 if the request URI is empty.

<VirtualHost *:80>                                                                                                                                                                          
 
    ServerName dashing.mydomain.com

    ErrorLog ${APACHE_LOG_DIR}/dashing.mydomain.com_error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/dashing.mydomain.com_access.log combined

    <Directory />
      AllowOverride None
      Require all denied
    </Directory>

    Redirect permanent / https://dashing.mydomain.com/

</VirtualHost>


<VirtualHost *:443>
 
    ServerName dashing.mydomain.com

    ErrorLog ${APACHE_LOG_DIR}/https.dashing.mydomain.com_error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
 
    CustomLog ${APACHE_LOG_DIR}/https.dashing.mydomain.com_access.log combined

    SSLEngine on

    SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt                                                                                                                                   
    SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com.key

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    # redirect to the default dashboard if the uri is empty
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "^/$"
    RewriteRule ^(.*) http://%{HTTP_HOST}/icinga2   

    <Directory />
        AllowOverride None
        Require all denied
    </Directory>
 
    <Location />
        ProxyPass http://localhost:8005/
        ProxyPassReverse http://localhost:8005/
    </Location>

</VirtualHost>

Nginx configuration

Nginx server configuration snippet to extend existing configurations

    location /icinga2 {

      proxy_pass          http://localhost:8005/icinga2;
    }

    location /assets/ {

      proxy_pass          http://localhost:8005/assets/;
    }

    location /events {

      proxy_pass          http://localhost:8005/events;
    }

    location /views/ {

      proxy_pass          http://localhost:8005/views/;
    }

Standalone Nginx server configuration

server {
    listen 80;
    server_name dashing.mydomain.com;
    
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name dashing.mydomain.com;

    ssl_certificate           /etc/nginx/mydomain.com.crt;
    ssl_certificate_key       /etc/nginx/mydomain.com.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/dashing.mydomain.com.access.log;

    location / {

      proxy_pass          http://localhost:8005;
    }
}

Important notes

  • change domain and server names as well as file names and paths according to your environment (i.e. for log, certificate and configuration files)
  • repeat the location entry for icinga2 for each dashboard to serve as many dashboards as you want
  • make sure to store your certificates in secure locations with secure permissions
  • keep in mind that dashing-icinga2 does not have any authentication yet!
  • review the TLS settings before you apply any of the configurations above on your system to make sure that the mentioned cipher suites and protocols are still secure and recommended. (I’ll do my best to keep this post up-to-date.)
  • change localhost:8005 to <ip>:<port> if the web server and dashing-icinga2 are running on different hosts