New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Using nginx Webserver as SSL Proxy for PRTG

Votes:

0

Your Vote:

Up

Down

Is it possible to use the nginx webserver as SSL proxy for PRTG?

nginx ssl ssl-proxy

Created on Jan 18, 2016 3:34:09 PM by  Konstantin Wolff [Paessler Support]



5 Replies

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

This article does NOT describe a full configuration of nginx. You might need to apply some security adjustments!!!

Using nginx Webserver as SSL Proxy for PRTG

There are some prerequisites that must be met if you plan to follow this article:

  • Basic knowledge of the nginx Webserver
  • A running nginx web server
  • Make sure the machine running PRTG is accessible from the machine running nginx

Configure PRTG

  • On the machine running the PRTG core server, open the PRTG Administration Tool on your core server system and configure the PRTG web server to run without SSL on http (a custom http port may be used).
  • In the PRTG web interface, configure the same DNS name (Setup | System & Website, option DNS name) as you will use for the nginx later.

Configure nginx

Note: For reasons of simplicity we used the SSL certificates which are delivered with PRTG.

  • Copy the PRTG certificate files (prtg.crt and prtg.key) from the machine where PRTG is installed (<PRTG Program Directory>\cert) to the machine where nginx is running (in this example to /var/www/cert).
  • Create a new file called vhost_prtg_ssl in your sites-available directory
  • Put the following content in it:
server {
       listen 443;
       server_name yourdomain.com;

       ssl on;
       ssl_certificate /var/www/cert/prtg.crt;
       ssl_certificate_key /var/www/cert/prtg.key;

       ssl_session_timeout 5m;

       ssl_protocols TLSv1;
       ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
       ssl_prefer_server_ciphers on;

       location / {
               proxy_pass http://YOUR_PRTG_SERVER;
       }
}
  • Replace the server_name ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
  • Replace "YOUR_PRTG_SERVER" with the internal server name used for PRTG (the IP also can be used). Don't forget to add the port if you use a non standard port.
  • Because PRTG runs in normal HTTP mode so it will create links without https, we will have to redirect them from http to https in nginx. To achieve this, create another file in your sites-available directory called vhost_prtg.
  • Put the following content in it:
server {
       listen 80;
       server_name yourdomain.com;
       rewrite ^(.*) https://$host$1 permanent;
}

  • Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
  • The ServerName and the set up DNS name in PRTG have to match in all files resp. PRTG itself
  • This will make nginx redirect all http requests to https.
  • Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.
  • (Re)start your nginx webserver. Now you should be able to connect to PRTG via your SSL proxy.

Note: All external PRTG applications (Enterprise Console, PRTG for Android, PRTG for iOS) should work with this solution as well.

Any feedback on the article or further suggestions are highly appreciated.

See also

Created on Jan 18, 2016 3:45:18 PM by  Konstantin Wolff [Paessler Support]

Last change on Jan 19, 2016 11:47:31 AM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This configuration assumes that someone is going to be using a separate domain or subdomain for PRTG, but people generally use a folder on an existing domain or subdomain. So they would want to use https://my.domain/prtg/, instead of https://prtg.my.domain or https://myprtgdomain.com.

I tested the above configuration and it does indeed work, but only when using a separate domain or subdomain. As soon as you change "location /" to "location /subfolder", the configuration breaks and gives a not found error. My guess would be the something within PRTG is hard-coded to use /, so if you're not using the root of a domain or subdomain it's going to break.

Created on Jan 18, 2016 8:55:34 PM by  gjch (0) 2

Last change on Jan 19, 2016 3:26:46 PM by  gjch (0) 2



Votes:

0

Your Vote:

Up

Down

Not tested with URL path proxying yet. So yes, this setup only works with a (sub-)domain.

Created on Jan 19, 2016 12:32:31 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I'm curious as to why we need to turn off SSL for the PRTG web interface? Before finding this article, I left SSL on and configured Nginx to redirect proxy_pass to my PRTG server on HTTPS.

This *appears* to work in my setup, so is the recommendation simply to reduce overhead of encryption/decryption? or is it for another reason I'm not understanding.

Having SSL on the website is helpful for a number of reasons; Chrome (my preferred browser) moans a lot when using non-HTTPS sites. Also, Chrome's built-in ability to suggest saved passwords won't work if the site is non-HTTPS.

Thanks.

Created on Jun 6, 2019 3:31:30 PM by  miyo360 (0) 2



Votes:

0

Your Vote:

Up

Down

Hi there,

This is hard to tell, the guide is already 3 years old and things can change. If the setup works with enabled SSL, then keep it that way.

Best regards.

Created on Jun 6, 2019 6:49:49 PM by  Dariusz Gorka [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.