Hi,
Here we are also only on an internal network (and even there with an internal
firewalled environment from the rest of the internal network).
Since it's a rather large bank plain HTTP isn't an option here and SSL,
including proper certificates, is a must.
For this we also have something similair as Michael mentioned, a forced ReWrite
rule to redirect HTTP to HTTPS. But only on our main front-end server.
The normal OMD instances (listening on TCP/5000) use plain HTTP.
A user that would enter through the frontend (either by HTTP and then directed
to HTTPS, or directly with HTTPS) isn't talking to any of the OMD instances
directly.
Apache proxies any request to a certain OMD instance.
From the normal (system) apache config (in our case
/etc/http/conf.d/omd_ssl.conf)
# Redirect 80 to 443:
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName xxxx
ServerAlias xxxx
[ .. some more unrelated things ... ]
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L]
</VirtualHost>
# Handle user requests on HTTPS
<VirtualHost xxxxxx:443>
DocumentRoot "/var/www/html"
ServerName xxxx
[ .. some more unrelated things ... ]
<Location /mzd_p1>
RewriteEngine On
RewriteRule ^/.+/mzd_p1/(.*) http://[a slave OMD
instance]:5000/mzd_p1/$1 [P]
</Location>
<Location /mzd_p2>
RewriteEngine On
RewriteRule ^/.+/mzd_p2/(.*) http://[another slave OMD
instance]:5000/mzd_p2/$1 [P]
</Location>
</VirtualHost>
Then in a seperate file (in this case located at
/omd/sites/dash/etc/apache/proxy.conf)
<IfModule mod_proxy_http.c>
<Proxy http://127.0.0.1:5000/dash>
Order allow,deny
allow from all
</Proxy>
<Location /dash>
ProxyPass http://127.0.0.1:5000/dash retry=0 disablereuse=On
ProxyPassReverse http://127.0.0.1:5000/dash
</Location>
</IfModule>
(not that a lot of these configs are provided by basic CheckMK/OMD installs)
This way, only your frontend webserver would need to run HTTPS and none of the
actual OMD instances (basicly turning the normal Apache in a pure
forwarder/proxy).
Nico van Roijen
----- Oorspronkelijk bericht -----
Van: "Stephen Berg (Contractor)" <[email protected]>
Aan: [email protected]
Verzonden: Dinsdag 21 maart 2017 12:47:10
Onderwerp: Re: [omd-users] converting to https
That seems to work for one distributed site, but the master site then
fails to synchronize with it. Is this change an all or nothing kind of
thing? Should I be changing all the distributed servers at once, then
change the master and adjust the distributed monitoring settings and
then restarting the whole collection?
On 03/21/2017 05:55 AM, FRANK Michael wrote:
> Hi,
>
> I use the following rewrite rule for apache:
>
> RewriteEngine on
> RewriteCond %{HTTPS} !on
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> RedirectMatch 302 "^/$" "/<site>/"
> #LogLevel alert rewrite:trace6
>
> And you need to change the settings in Distributed Monitoring to HTTPS for
> the migrated site as well.
>
> Regards
>
> Michael
>
>
> -----Original Message-----
> From: omd-users [mailto:[email protected]] On Behalf
> Of Stephen Berg (Contractor)
> Sent: Montag, 20. März 2017 16:59
> To: [email protected]
> Subject: [omd-users] converting to https
>
> Is there a checklist or set of instructions for converting OMD/check_mk over
> to use https as default?
>
> I've got a master server and 6 distributed servers. We use OMD mostly for
> the check_mk component. I'd like to be able to convert one distributed
> server, tweak the master server to be aware of that change and verify it's
> working and then move on the next distributed server. I can convert the
> master server to use https at the beginning or end, whichever is best.
>
> None of these systems are accessible outside our network so security isn't a
> big concern, but getting even our internal only web services converted to
> https is on our to-do list. We do use the pnp4nagios component also, but
> that's about it as far as the OMD componets go.
>
> --
> Stephen Berg
> Systems Administrator
> NRL Code: 7320
> Office: 228-688-5738
> [email protected]
>
> _______________________________________________
> omd-users mailing list
> [email protected]
> http://lists.mathias-kettner.de/mailman/listinfo/omd-users
> This electronic transmission (and any attachments thereto) is intended solely
> for the use of the addressee(s). It may contain confidential or legally
> privileged information. If you are not the intended recipient of this
> message, you must delete it immediately and notify the sender. Any
> unauthorized use or disclosure of this message is strictly prohibited.
> Faurecia does not guarantee the integrity of this transmission and shall
> therefore never be liable if the message is altered or falsified nor for any
> virus, interception or damage to your system.
>
>
--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
[email protected]
_______________________________________________
omd-users mailing list
[email protected]
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
_______________________________________________
omd-users mailing list
[email protected]
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
