Resolved Unable to forward requests from nginx / apache

[Sysop]

I've recently setup Netdata on my server and the installation went fine, and I can access the dashboard via:

curl http://127.0.0.1:19999

The problem is that I'm not sure how to access this remotely, as in:

http://mysite.com:19999

I've tried editing the apache / nginx directives with the information located here and here respectively, although I'm not sure exactly what to edit or where. My website is running php 7.0.27 with FPM served by apache with nginx in proxy mode if that helps at all.

Really all I want to be able to do is be able to view http://127.0.0.1:19999/ from http://mysite.com:19999 and possibly password protect it. Thanks!

 

[MarkM]

Is the port open in the firewall?

 

[Sysop]

Hi Mark,

I did open the port in the firewall, although I forgot to activate it! — thanks for making me check it again!

So I guess the only question now is how I could password protect http://mysite.com:19999, is there a simple straightforward way of doing that?

 

[Sergio Manzi]

@Sysop I think you'll probably have to backtrack and close that port...

Apparently netdata doesn't provide an internal authentication method and delegates this function to a front-end proxy be it Apache, Nginx or whatever (see: Is there no password protection? · Issue #120 · firehol/netdata · GitHub)

In the cited GitHub "issue" there is a post with what seems to be a reasonable nginx configuration.

If I were you I'll start from that, but without the "auth_basic" configuration, just to have it working "behind nginx".

My advice is to not mess at all with any Plesk configuration file: I'm quite sure you can use that configuration just by:

• creating an ad-hoc domain (e.g. netdata.example.com) in your Plesk
• in that domain "Apache & nginx Settings" turn off the "Proxy mode" option (yeah, I know it doesn't sounds logical...) and hit "Apply" (or "OK")
• only after that, paste that configuration from the GitHub article above (in first instance without the authentication directives) in the "Additional nginx directives" text box. Hit Apply or OK once again
• Try and pray...

If it works... we'll pass to Chapter 2: how setup authentication.

 

[Sysop]

@Sysop I think you'll probably have to backtrack and close that port...

Apparently netdata doesn't provide an internal authentication method and delegates this function to a front-end proxy be it Apache, Nginx or whatever (see: Is there no password protection? · Issue #120 · firehol/netdata · GitHub)

In the cited GitHub "issue" there is a post with what seems to be a reasonable nginx configuration: Is there no password protection? · Issue #120 · firehol/netdata · GitHub

If I were you I'll start from that, but without the "auth_basic" configuration, just to have it working "behind nginx".

My advice is to not mess at all with any Plesk configuration file: I'm quite sure you can use that configuration just by:

• creating an ad-hoc domain (e.g. netdata.example.com) in your Plesk
• in that domain "Apache & nginx Settings" turn off the "Proxy mode" option (yeah, I know it doesn't sounds logical...) and hit "Apply" (or "OK")
• only after that, paste that configuration from the GitHub article above (in first instance without the authentication directives) in the "Additional nginx directives" text box. Hit Apply or OK once again
• Try and pray...

If it works... we'll pass to Chapter 2: how setup authentication.

@Sergio, your tips really seemed to help - thank you!

I closed the port as you suggested, and I was able to put the directive into the nginx section, although I did have to change it slightly (added "~"), otherwise Plesk wouldn't take it. I also tried leaving "Proxy mode" turned on and it seemed to still be working normally from what I could tell.

location ~ / {
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_pass http://127.0.0.1:19999;
       proxy_http_version 1.1;
       proxy_pass_request_headers on;
       proxy_store off;
   }

So I guess the only thing left to do is the authentication — would you suggest setting it up as it showed in the example with the .htaccess ?

 

[MarkM]

I believe you would want to use an .htpasswd file. There's a number of online tools that would assist you.... and change the above to something like the following;

location ~ / {
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:19999;
      proxy_http_version 1.1;
      proxy_pass_request_headers on;
      proxy_store off;
      auth_basic "Restricted Content";
      auth_basic_user_file /etc/nginx/.htpasswd;
   }

 

[Sergio Manzi]

@Mark Muyskens: I'm wondering if he can't just use the provided mechanisms (see: Restricting Access to Content) and just set / (or is it /httpdocs ?) as the protected directory... PURE THEORY: HAVEN'T TRIED

@Sysop: That it works even when you have "Enable proxy" set is... bizarre! With that option set nginx should proxy "/" to Apache on a totally different port (can't remember which from the top of my head now...). Moreover, when you have the option set Plesk doesn't allows you to put a "location /" in the nginx options (and that's why I underlined that you have to first proxy off and only after that you can set the nginx "location /"options...) ... I don't know what to say... I'll test it over the weekend...

 

[Sergio Manzi]

ahemm... just a question: you now access it through the normal port 80 as http://netdata.example.com, right? Not through port 19999, right?

 

[Sysop]

@Mark Muyskens, the .htpasswd directive worked, thanks!

@Sergio Manzi, Yes, I can access the site with "netdata.example.com" without putting the port in the url. Having "Proxy Mode" switched on and setting location ~ / works for whatever reason — setting it to just location / I get an error:

Invalid nginx configuration: nginx: [emerg] duplicate location "/" in /var/www/vhosts/system/netdata.example.com/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

In hosting settings I have "Permanent SEO-safe 301 redirect from HTTP to HTTPS" also set on both the subdomain and main hostname, with the Document root set to /httpdocs. The directive seems to automatically forward port 80 to 443 correctly, and from what I can tell it's working nicely! Thanks again for all the help - much appreciated.

 

[Sergio Manzi]

... it must be a miracle due to the ~ I will try...

You're most welcome, take care!

 

[Sergio Manzi]

about "~ /" and the thing working also when "Proxy mode" is set, I think I know what's happening:

• the ~ is just a on optional modifier that tells nginx to take the following "location string" as a regular expression
• its presence, anyway, makes that location block to differ from the one used by Plesk to set the normal proxy to Apache
• hence it is accepted even if "Proxy mode" is set, but being inserted after (or is it before??) the Plesk standard "location /", it takes precedence and... we are happy!

 

[Sysop]

about "~ /" and the thing working also when "Proxy mode" is set, I think I know what's happening:

• the ~ is just a on optional modifier that tells nginx to take the following "location string" as a regular expression
• its presence, anyway, makes that location block to differ from the one used by Plesk to set the normal proxy to Apache
• hence it is accepted even if "Proxy mode" is set, but being inserted after (or is it before??) the Plesk standard "location /", it takes precedence and... we are happy!

Excellent information! I knew there was a reason I tried that — cheers!

 

[mr-wolf]

For those kind of things I merely create a file in /etc/nginx/conf.d/ making only an entry for https and binding the daemon itself to localhost.

The files there are processed in alphabetic order. A file for all the Plesk sites is there as well.

A redirect from port 80 it's quikly done as well, if wanted.

Nothing at all configured in Plesk
Total control to you

Where I like Plesk for managing all client websites I prefer to do these additions outside of Plesk as they are outside of Plesk to begin with.

 

[Sergio Manzi]

For those kind of things I merely create a file in /etc/nginx/conf.d ...

Of course, but at the end of the day and through some indirection, that's exactly what happens when you configure it in the Plesk panel.
But, although it is essentially a matter of personal preferences, I see some value added by doing it in the Plesk panel:

• DNS entry automatically created
• Easier management of the Let's Encrypt certificates
• "self-documentation" of what has been done (meaning that if you have to "pass" the system administration to someone else, he/she will have a view at first sight of what you have done...)

 

[mr-wolf]

Of course, but at the end of the day and through some indirection, that's exactly what happens when you configure it in the Plesk panel.
But, although it is essentially a matter of personal preferences, I see some value added by doing it in the Plesk panel:

• DNS entry automatically created
• Easier management of the Let's Encrypt certificates
• "self-documentation" of what has been done (meaning that if you have to "pass" the system administration to someone else, he/she will have a view at first sight of what you have done...)

You are right for your situation, but all these would be a disadvantage for me.
I have those kind of services deliberately outside of Plesk for good reasons.
No LE for those services but a wildcard certificate and DNS is done on a seperate server.

I work for a small firm and am the only one who deals with this kind of stuff.
It is good that my colleagues can't get to it ;-)

 

[Tr3Mendo]

Hello, I am new in this world.

I have my Centos7 server with Plesk Onyx and I just installed Netdata.

I can access perfectly from http:/my_IP:19999.

I have created a new subscription to access from http://netdata.mydomain.com without any problem.

But if I add:

auth_basic "Protected";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
xxx
}

He asks me for a username and a password, what would they be? those of the subscription or those of the root server?

Thank you.

 

[Sysop]

Hello, I am new in this world.

I have my Centos7 server with Plesk Onyx and I just installed Netdata.

I can access perfectly from http:/my_IP:19999.

I have created a new subscription to access from http://netdata.mydomain.com without any problem.

But if I add:

auth_basic "Protected";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
xxx
}

He asks me for a username and a password, what would they be? those of the subscription or those of the root server?

Thank you.

You would usually create any user and password you would like (usually something other than login credentials to your Plesk panel is safer). So for example if you use the htpasswd utility from the command-line and you want the login to be "netdata" you would do:

$ htpasswd -c /etc/nginx/.htpasswd netdata

The utility will then prompt you to enter a password and confirm it (so choose whatever you want). You might need to restart nginx ( systemctl restart nginx ) after creating the .htpasswd file. That's it!

 

[Tr3Mendo]

Perfect!

Now I can access the Netdata panel with the username and password. It was much easier than I thought.

Thank you

You would usually create any user and password you would like (usually something other than login credentials to your Plesk panel is safer). So for example if you use the htpasswd utility from the command-line and you want the login to be "netdata" you would do:

$ htpasswd -c /etc/nginx/.htpasswd netdata

The utility will then prompt you to enter a password and confirm it (so choose whatever you want). You might need to restart nginx ( systemctl restart nginx ) after creating the .htpasswd file. That's it!