A while back, I had written about the possibility of configuring ntop to use only relative URL's, in order to facilitate proxying ntop's web interface through Apache. I have decided it's easier to simply use Apache's ability to rewrite ntop's URL's when necessary. So, based on my experience, here is a mini-HOWTO on how to proxy ntop through Apache. ~-~-~-~-~-~-~-~ Proxying ntop's web interface through a secure Apache virtual host is a convenient way to make use of any existing security measures you may already have. In my case, I wanted to be able to access ntop from anywhere outside my LAN, but opening another port on my server for ntop's dedicated web server wasn't an option.
I already had a password-protected, secure web server that I use for admin purposes -- I'll call it https://admin.tobiasly.com. I wanted ntop's web interface to appear as a subdirectory under this host: https://admin.tobiasly.com/ntop/ . Here's how to configure such a setup. Change the server names and ports to match your own. I'm assuming that you already have a working, secure Apache virtual host (using HTTPS). First, pick a port for ntop's HTTP server. I'll use 15123. You won't need ntop's built-in HTTPS server, since you're proxying its content through a pre-existing Apache HTTPS server. Configure ntop to start with the correct HTTP port, and with HTTPS disabled. Something like "ntop -d -w 15123 -W 0". (See the ntop man page for more startup options.) Now, you need to tell Apache that anything under the /ntop/ URL should be proxied to the ntop web server. In my case, the Apache server is running on the same machine as ntop, so it's just a proxy to a different port on localhost. In your Apache secure host configuration, add a line like this: ProxyPass /ntop/ http://localhost:15123/ Now, whenever Apache receives a request for something like "https://secure.tobiasly.com/ntop/home.html";, it will proxy this request to the location "http://localhost:15123/home.html";. Ntop will take it from there, generate the web content, and pass the result back to Apache. Then Apache passes that result back to the original client. It's important to note that you don't need to open port 15123 to the outside, since the connection actually goes through your existing Apache port, and then is transparently proxied by Apache on the server itself. Of course, you don't even have to run ntop on the same machine; as long as the Apache server can connect to ntop's port, it'll work. This is not the same as URL redirection. As far as your web browser knows, everything is going through https://secure.tobiasly.com/ntop/. The Apache server does all the proxy work behind the scenes, and simply serves up the results to the requesting client. And since the "outward-facing" server is Apache instead of ntop, you'll be using your existing Apache secure server certificate, instead of ntop's ntop-cert.pem. Everything appears to work OK at first, but we quickly run into a problem: some of the URL's that ntop generates are absolute. For example, to draw bar graphs, ntop's web pages will request the image "/gauge.jpg". This would translate into "https://secure.tobiasly.com/gauge.jpg";. Also, host info pages are absolute. If I click on the host "10.1.2.3", it tries to take me to the page "https://secure.tobiasly.com/10.1.2.3.html";. This is a big problem, because unless the URL is underneath the /ntop/ directory, Apache doesn't know that it needs to proxy the request to ntop, and you get broken links. Luckily, Apache has the Rewrite module that lets us fool with requested URL's. In order to get the required URL's rewritten, add the following to your Apache secure virtual host configuration: RewriteEngine On RewriteCond %{HTTP_REFERER} tobiasly.com/ntop RewriteCond %{REQUEST_URI} !^/ntop RewriteRule ^/(.*)$ http://secure.tobiasly.com/ntop/$1 [L,P] In English, this basically says "If I get a URL request that comes from a page that has tobiasly.com/ntop in it, and that request doesn't begin with /ntop, rewrute the URL to begin with http://secure.tobiasly.com/ntop/, and pass this rewritten URL to the Proxy engine." At this point, the Proxy engine will see that it is getting a URL that begins with /ntop/, and correctly pass it to the ntop web server. Rewriting the request to begin with HTTP instead of HTTPS may seem incorrect, but since that URL will be handed directly to the Proxy engine, it can't be HTTPS or ntop's web server will not recognize it. Now, you should be able to simply connect to https://secure.tobiasly.com/ntop/ , and you're ready to go! _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
![https://secure.tobiasly.com/gauge.jpg"](https://secure.tobiasly.com/gauge.jpg"){kind=link}