Newsletter:5/Encrypt All the Bits

From Zenoss Wiki
Jump to: navigation, search

Encrypt All the Bits!

Set up Nginx as a Zenoss HTTPS Proxy, and monitor it!
By Andrew D Kirch
Nginx.gif

Set up Nginx as a Zope HTTPS Proxy

Thank you for using Zenoss. Happy monitoring!
But, have I done everything I could? I’ve got this nagging feeling I didn’t. I even set up monitoring for MySQL, RabbitMQ and Memcached, like I was supposed to. Maybe there’s more. Maybe, we could use HTTPS!

Configure CentOS/RHEL

The standard repo’s that the auto-install script creates do not include Nginx. To add it, edit /etc/yum.repos.d/nginx.repo with your favorite text editor, and add the following: 

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1

Then run: 

 # yum install nginx

Configure Nginx

# cd /etc/nginx/conf.d
# mv default.conf default.conf.disabled
# editor default.conf

In your default.conf, place the following block of config which will enable NGINX's reverse proxy over HTTPS: 

server {
    listen 443 default  ssl;
    server_name  myserver;
    
      ssl on;
      ssl_certificate       /etc/nginx/ssl/zenoss.pem;
      ssl_certificate_key   /etc/nginx/ssl/zenoss.key;
    
location / {
     rewrite  ^(.*)$ /VirtualHostBase/https/{{ipaddressorhostname}}:443$1 break;
     proxy_pass http://127.0.0.1:8080;
     }
}

Configure OpenSSL

In the last step you specified a path that doesn’t exist to OpenSSL keys that don’t exist yet (this is a great time to make sure your OpenSSL isn’t vulnerable to Heartbleed). Let’s create those now. 

# mkdir /etc/nginx/ssl
# openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/zenoss.pem -keyout /etc/nginx/ssl/zenoss.key

Finally we check the config to make sure it’s right, enable nginx at startup, and start it: 

# nginx –t 
# chkconfig nginx on
# service nginx start

Configure Zenoss

Edit zope.conf, and you will find an ip address somewhere around line 409. Enable ip-address = 127.0.0.1 by uncommenting it, and restart Zenoss.

The install script advises that you disable the firewall. Lets re-enable it, and add a rule for https access! (note that you also may need a similar rule for SNMP traps if you use these. 

 # EDITOR /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

now start the iptables service 

# chkconfig iptables on
# service iptables start

The Payoff

Open your web browser and navigate to https://yourzenossserver . You will get a warning about an unsigned SSL certificate (get it signed if you like, it’s only $10/year these days). Ignore the scary warning, and go to the page anyway. You should see something like this:

Httpspicture.png

Going Further

Now, I know you are thinking, NOW I HAVE TO MONITOR THIS! I'm betting you're thinking it just like that, caps and everything. Well, lets do it! A Community ZenPack, NGINX Status, exists which leverages the nginx_status tool.

Install the NGINX Community ZenPack, then edit the /etc/nginx/conf.d/default.conf. 

# zenpack --install ZenPacks.community.NginxStatus-1.1.egg
# editor /etc/nginx/conf.d/default.conf

In your default.conf, place the following, which will enable the nginx_status tool: 

server {
   listen 80;
   server_name localhost;

   location /nginx_status {
        stub_status on;
        access_log  off;
        allow 127.0.0.1;
        deny all;
    }
}

Finally we check the config to make sure it’s right, and restart it: 

# nginx –t 
# service nginx restart

Back in Zenoss add the nginx_status template to your device and remodel: Nginx template.PNG

You will see 3 new Graphs with perf data for Nginx. Finally add a HTTPS IP Service, and enable monitoring for alerts if nginx goes down.


Retrieved from "http://wiki.zenoss.org/index.php?title=Newsletter:5/Encrypt_All_the_Bits&oldid=9594"