What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Using Apache Web Server as SSL Proxy for PRTG

Votes:

1

Is it possible to use the Apache webserver as SSL proxy for PRTG?

apache ssl ssl-proxy

Created on Oct 11, 2012 9:12:20 AM by Konstantin Wolff [Paessler Support]

Last change on Oct 22, 2019 11:12:07 AM by Brandy Greger [Paessler Support]



9 Replies

Accepted Answer

Votes:

1

This article applies to PRTG Network Monitor 12 or later

This article does NOT describe a full configuration of Apache. You might need to apply some security adjustments!!!

Using Apache Web Server as SSL Proxy for PRTG

There are some prerequisites that must be met if you plan to follow this article:

  • Basic knowledge of the Apache Webserver and rewrite rules
  • A running Apache web server
  • Activated modules: mod_ssl, mod_proxy, mod_proxy_http, mod_rewrite
  • Make sure the machine running PRTG is accessible from the machine running Apache

Configure PRTG

  • On the machine running the PRTG core server, open the PRTG Server Administrator tool and configure the PRTG web server to run without SSL on http (a custom http port may be used).
  • In the PRTG web interface, configure the same DNS name (Setup | System & Website, option DNS name) as you will use for the Apache later.

Configure Apache

Note: For reasons of simplicity we used the SSL certificates which are delivered with PRTG. If you want use your own SSL cert, please see: SSL Certificate Installation in Apache

  • Copy the PRTG certificate files (prtg.crt and prtg.key) from the machine where PRTG is installed (<PRTG Program Directory>\cert) to the machine where Apache is running (in this example to /var/www/cert).
  • Create a new file called vhost_prtg_ssl in your sites-available directory
  • Put the following content in it: 
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName yourdomain.com
        RewriteEngine on
        RewriteRule ^/(.*)$ http://YOUR_PRTG_SERVER/$1 [P,L]


        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /var/www/cert/prtg.crt
        SSLCertificateKeyFile /var/www/cert/prtg.key

</VirtualHost>
</IfModule>
  • -> Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
  • -> Replace "YOUR_PRTG_SERVER" with the internal server name used for PRTG (the IP also can be used). Don't forget to add the port if you use a non standard port.
  • Since PRTG runs in normal HTTP mode and thus it will create links without https, we will have to redirect them from http to https in Apache. To achieve this, create another file in your sites-available directory called vhost_prtg.
  • Put the following content in it: 
<VirtualHost *:80>
        ServerName yourdomain.com
        RewriteEngine on
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
  • -> Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (Please make sure you have a valid A-Record for the used domain)
  • The ServerName and the set up DNS name in PRTG have to match in all files resp. PRTG itself
  • --> This will make Apache redirect all http requests to https.
  • Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.
  • Restart your Apache Webserver. Now you should be able to connect to PRTG via your SSL Proxy

Note: All external PRTG applications (Enterprise Console, PRTGdroid, iPRTG) should work with this solution as well.

Any feedback on the article or further suggestions are highly appreciated.

See also

Created on Oct 11, 2012 9:17:14 AM by Konstantin Wolff [Paessler Support]

Last change on Oct 22, 2019 11:09:01 AM by Brandy Greger [Paessler Support]



Votes:

0

You also missed: -Enable the SSL module: sudo a2enmod ssl sudo a2enmod rewrite -disable the default config with: sudo a2dissite 000-default.conf -The config files should be vhost_prtg_ssl.conf and vhost_prtg.conf, respectively. This in order to be compliant with the Apache config file modularity. -Then enable both site configs with: sudo a2ensite vhost_prtg_ssl sudo a2ensite vhost_prtg sudo service apache2 reload (with this you can skip the part: Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.)

Created on Oct 30, 2017 9:19:18 PM



Votes:

0

Can I use Apache as reverseproxy to handle PRTG as context?

https://mydomain.com/prtg -> http://myprtgserver

Best Regards Christian

Created on Dec 7, 2017 9:49:53 AM



Votes:

0

Hello Christian,
please excuse the delay in our reply.

I was informed by the article's author that this is currently not possible due to the way PRTG internally handles links.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Dec 20, 2017 9:38:23 AM by Luciano Lingnau [Paessler]



Votes:

0

Hello

Is it possible to use SSL between apache and PRTG? Otherwise all passwords are transfered in plaintext between the proxy and the PRTG webserver.

We use the SSL proxy to acces the webserver from the internet (for app without VPN).

Cheers

Created on Jun 6, 2018 7:54:05 AM



Votes:

0

Dear vps,

I don't know about Apache's side, but PRTG can use HTTPS. This can be configured in the PRTG Administration Tool.

Created on Jun 6, 2018 12:04:48 PM by Arne Seifert [Paessler Support]



Votes:

0

Hello

I figured out how to use an apache as a reverse proxy for PRTG while still being able to use internal HTTPS certificate:

<IfModule mod_ssl.c> <VirtualHost *:443> ServerName YOUR_SERVER.COM DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

  1. Possible values include: debug, info, notice, warn, error, crit,
  2. alert, emerg. LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on

  1. Adjust the following two lines to use your own certificate (lets encrypt works fine) SSLCertificateFile /etc/letsencrypt/live/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/privkey.pem

SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off

  1. Adjust following two lines according to your infrastructure ProxyPass / "https://INTERNAL_IP_OR_DNSNAME:443/" ProxyPassReverse / "https://EXTERNAL_IP_OR_DNSNAME:443/"

</VirtualHost> </IfModule>

Created on Jun 7, 2018 7:14:16 AM



Votes:

0

due to this Information is at least 3 years old, I would like to do some follow up..

here is my vhost config for prtg:

## monitoring\\ <VirtualHost *:80>\\ ServerName monitoring.domain.com\\ RewriteEngine on\\ RewriteCond %{HTTPS} !=on\\ RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]\\ </VirtualHost>\\ \\ ## SSL_monitoring.domain.com\\ <VirtualHost *:443>\\ SSLEngine on\\ SSLProxyCheckPeerCN off\\ SSLProxyCheckPeerName off\\ SSLCertificateFile /_CERT/fullchain.pem\\ SSLCertificateKeyFile /_CERT/privkey.pem\\ SSLProxyVerify none\\ ProxyPreserveHost On\\ Protocols h2 http/1.1\\ Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"\\ ServerName monitoring.domain.com\\ <Proxy *:443>\\ Order allow,deny\\ Allow from all\\ </Proxy>\\ SSLProxyEngine on\\ ProxyPass / http://10.1.1.6:80/ retry=3 timeout=3000\\ ProxyPassReverse / http://10.1.1.6:80/\\ ErrorLog ${APACHE_LOG_DIR}/monitoring.domain.com.log\\ CustomLog ${APACHE_LOG_DIR}/monitoring.domain.com.log combined\\ </VirtualHost>

and this is my vhost ssl settings:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\\ SSLHonorCipherOrder off\\ SSLSessionTickets off\\ SSLUseStapling On\\ SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"\\

Settings on prtg:
- no ssl
- port 80

my apache version is:
Apache/2.4.38 (Debian)

It seems that everything is working, but accessing from outside, the devices are not showing up. The devices tab is completely empty.

also tested nginx - facing same issue.

anyone facing similar problems?

Created on Nov 29, 2021 12:28:25 PM



Votes:

0

Yaya,

Are you logging into PRTG as an administrator account? Can you try logging into it with an incognito tab?

Benjamin Day
[Paessler Support]

Created on Nov 30, 2021 6:14:42 PM by Benjamin Day [Paessler Support] (1,441) 2 1




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.