Newsletter:5/Encrypt All the Bits

From Zenoss Wiki
Jump to: navigation, search

Encrypt All the Bits!

Here's how you can use NGINX to ensure your Zenoss instance complies with best practices, and ensure your communication with your Network Monitoring System is protected.
Nginx.gif

Set Up NGINX as a Zope HTTPS Proxy

Thank you for using Zenoss. Happy monitoring!
This is the last thing you see after you install Zenoss, but did you do everything you could? Maybe you've got this nagging feeling you didn’t.

Did you you set up monitoring for MySQL, RabbitMQ and Memcached, like you were supposed to?

Did you encrypt all your communications with Zenoss using HTTPS?

Here's how you can use NGINX to ensure your Zenoss instance complies with best practices, and ensure your communication with your Network Monitoring System is protected.

Configure CentOS/RHEL

The standard repo’s that the auto-install script creates do not include NGINX. To add it, edit /etc/yum.repos.d/nginx.repo with your favorite text editor, and add the following:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1

Then run:

 # yum install nginx 

Configure NGINX

To Configure NGINX, edit the NGINX config files which are found in /etc/nginx/ and /etc/nginx/conf.d:

# cd /etc/nginx/conf.d
# mv default.conf default.conf.disabled
# editor default.conf

In your default.conf, place the following block of config which will enable NGINX's reverse proxy over HTTPS:

server {
    listen 443 default  ssl;
    server_name  myserver;
    
      ssl on;
      ssl_certificate       /etc/nginx/ssl/zenoss.pem;
      ssl_certificate_key   /etc/nginx/ssl/zenoss.key;
    
location / {
     rewrite  ^(.*)$ /VirtualHostBase/https/{{ipaddressorhostname}}:443$1 break;
     proxy_pass http://127.0.0.1:8080;
     }
}

Configure OpenSSL

In the last step, you specified a path that doesn’t exist to OpenSSL keys that don’t exist yet (this is a great time to make sure your OpenSSL isn’t vulnerable to Heartbleed). Let’s create those now:

# mkdir /etc/nginx/ssl
# openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/zenoss.pem -keyout /etc/nginx/ssl/zenoss.key

Finally, check the config to make sure it’s right, enable NGINX at startup, and start it:

# nginx –t 
# chkconfig nginx on
# service nginx start

Configure Zenoss

Edit $ZENHOME/etc/zope.conf, and you will find an IP address somewhere around line 409. Enable ip-address = 127.0.0.1 by un-commenting it, and restart Zenoss.

The install script advises that you disable the firewall. Lets re-enable it, and add a rule for HTTPS access! (Note that you also may need a similar rule for SNMP traps if you use these.)

 # EDITOR /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

Now, start the iptables service:

# chkconfig iptables on
# service iptables start

The Payoff

Open your web browser and navigate to https://yourzenossserver . You will get a warning about an unsigned SSL certificate (get it signed if you like, it’s only $10/year these days). Ignore the scary warning, and go to the page anyway. You should see something like this:

Httpspicture.png

Going Further

Now, I know you are thinking, NOW I HAVE TO MONITOR THIS! I'm betting you're thinking it just like that, caps and everything. Well, lets do it! A Community ZenPack, NGINX Status, exists which leverages the nginx_status tool.

Install the NGINX Community ZenPack, then edit the /etc/nginx/conf.d/default.conf:

# zenpack --install ZenPacks.community.NginxStatus-1.1.egg
# editor /etc/nginx/conf.d/default.conf

In your default.conf, place the following, which will enable the nginx_status tool:

server {
   listen 80;
   server_name localhost;

   location /nginx_status {
        stub_status on;
        access_log  off;
        allow 127.0.0.1;
        deny all;
    }
}

Finally, check the config to make sure it’s right, and restart it:

# nginx –t 
# service nginx restart

Back in Zenoss add the nginx_status template to your device and remodel: Nginx template.PNG

You will see three new graphs with perf data for NGINX. Finally, add a HTTPS IP Service, and enable monitoring for alerts if NGINX goes down.

Conclusion

Zenoss-Zenny-Joke.jpg

You've now configured NGINX as a transparent HTTPS proxy to protect Zenoss. This will protect your communication with Zenoss, and if you get your HTTPS certificate signed, it will also ensure that you are communicating with your Zenoss instance, and not a wild Zenny, which may appear at any time! Trust me, this does happen, and more often than you might think!