Newsletter:5/Encrypt All the Bits

From Zenoss Wiki
Jump to: navigation, search

Encrypt All the Bits!

Set up Nginx as a Zenoss HTTPS Proxy, and monitor it!

Set up Nginx as a Zope HTTPS Proxy

Thank you for using Zenoss. Happy monitoring!
But, have I done everything I could? I’ve got this nagging feeling I didn’t. I even set up monitoring for MySQL, RabbitMQ and Memcached, like I was supposed to. Maybe there’s more. Maybe, we could use HTTPS!

Configure CentOS/RHEL

The standard repo’s that the auto-install script creates do not include NGINX. To add it, edit /etc/yum.repos.d/nginx.repo with your favorite text editor, and add the following:

name=nginx repo

Then run:

 # yum install nginx 

Configure Nginx

# cd /etc/nginx/conf.d
# mv default.conf default.conf.disabled
# editor default.conf

In your default.conf, place the following block of config which will enable NGINX's reverse proxy over HTTPS:

server {
    listen 443 default  ssl;
    server_name  myserver;
      ssl on;
      ssl_certificate       /etc/nginx/ssl/zenoss.pem;
      ssl_certificate_key   /etc/nginx/ssl/zenoss.key;
location / {
     rewrite  ^(.*)$ /VirtualHostBase/https/{{ipaddressorhostname}}:443$1 break;

Configure OpenSSL

In the last step you specified a path that doesn’t exist to OpenSSL keys that don’t exist yet (this is a great time to make sure your OpenSSL isn’t vulnerable to Heartbleed). Let’s create those now.

# mkdir /etc/nginx/ssl
# openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/zenoss.pem -keyout /etc/nginx/ssl/zenoss.key

Finally we check the config to make sure it’s right, enable NGINX at startup, and start it:

# nginx –t 
# chkconfig nginx on
# service nginx start

Configure Zenoss

Edit zope.conf, and you will find an ip address somewhere around line 409. Enable ip-address = by uncommenting it, and restart Zenoss.

The install script advises that you disable the firewall. Lets re-enable it, and add a rule for https access! (note that you also may need a similar rule for SNMP traps if you use these.

 # EDITOR /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

now start the iptables service

# chkconfig iptables on
# service iptables start

The Payoff

Open your web browser and navigate to https://yourzenossserver . You will get a warning about an unsigned SSL certificate (get it signed if you like, it’s only $10/year these days). Ignore the scary warning, and go to the page anyway. You should see something like this:


Going Further

Now, I know you are thinking, NOW I HAVE TO MONITOR THIS! I'm betting you're thinking it just like that, caps and everything. Well, lets do it! A Community ZenPack, NGINX Status, exists which leverages the nginx_status tool.

Install the NGINX Community ZenPack, then edit the /etc/nginx/conf.d/default.conf:

# zenpack --install
# editor /etc/nginx/conf.d/default.conf

In your default.conf, place the following, which will enable the nginx_status tool:

server {
   listen 80;
   server_name localhost;

   location /nginx_status {
        stub_status on;
        access_log  off;
        deny all;

Finally, check the config to make sure it’s right, and restart it:

# nginx –t 
# service nginx restart

Back in Zenoss add the nginx_status template to your device and remodel: Nginx template.PNG

You will see 3 new graphs with perf data for NGINX. Finally, add a HTTPS IP Service, and enable monitoring for alerts if NGINX goes down.



You've now configured NGINX as a transparent HTTPS proxy to protect Zenoss. This will protect your communication with Zenoss, and if you get your HTTPS certificate signed, it will also ensure that you are communicating with your Zenoss, and not a wild Zenny, which may appear at any time! Trust me, this does happen, and more often than you might think!