Is it possible to use the nginx webserver as SSL proxy for PRTG?
Using nginx web server as SSL Proxy for PRTG
Votes:
0
6 Replies
Votes:
2
This article applies to PRTG Network Monitor 12 or later
This article does NOT describe a full configuration of nginx. You might need to apply some security adjustments!!!
Using nginx Web Server as SSL Proxy for PRTG
There are some prerequisites that must be met if you plan to follow this article:
- Basic knowledge of the nginx web server
- A running nginx web server
- Make sure the machine running PRTG is accessible from the machine running nginx
Configure PRTG
- On the machine running the PRTG core server, open the PRTG Administration Tool on your core server system and configure the PRTG web server to run without SSL on http (a custom http port may be used).
- In the PRTG web interface, configure the same DNS name (Setup | System & Website, option DNS name) as you will use for the nginx later.
Configure nginx
Note: For reasons of simplicity we used the SSL certificates which are delivered with PRTG.
- Copy the PRTG certificate files (prtg.crt and prtg.key) from the machine where PRTG is installed (<PRTG Program Directory>\cert) to the machine where nginx is running (in this example to /var/www/cert).
- Create a new file called vhost_prtg_ssl in your sites-available directory
- Put the following content in it:
server { listen 443; server_name yourdomain.com; ssl on; ssl_certificate /var/www/cert/prtg.crt; ssl_certificate_key /var/www/cert/prtg.key; ssl_session_timeout 5m; ssl_protocols TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://YOUR_PRTG_SERVER; } }
- Replace the server_name ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
- Replace "YOUR_PRTG_SERVER" with the internal server name used for PRTG (the IP also can be used). Don't forget to add the port if you use a non standard port.
- Because PRTG runs in normal HTTP mode so it will create links without https, we will have to redirect them from http to https in nginx. To achieve this, create another file in your sites-available directory called vhost_prtg.
- Put the following content in it:
server { listen 80; server_name yourdomain.com; rewrite ^(.*) https://$host$1 permanent; }
- Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
- The ServerName and the set up DNS name in PRTG have to match in all files resp. PRTG itself
- This will make nginx redirect all http requests to https.
- Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.
- (Re)start your nginx web server. Now you should be able to connect to PRTG via your SSL proxy.
Note: All external PRTG applications (Enterprise Console, PRTG for Android, PRTG for iOS) should work with this solution as well.
Any feedback on the article or further suggestions are highly appreciated.
See also
Created on Jan 18, 2016 3:45:18 PM by
Konstantin Wolff [Paessler Support]
Last change on Oct 22, 2019 11:11:29 AM by
Brandy Greger [Paessler Support]
Votes:
0
This configuration assumes that someone is going to be using a separate domain or subdomain for PRTG, but people generally use a folder on an existing domain or subdomain. So they would want to use https://my.domain/prtg/, instead of https://prtg.my.domain or https://myprtgdomain.com.
I tested the above configuration and it does indeed work, but only when using a separate domain or subdomain. As soon as you change "location /" to "location /subfolder", the configuration breaks and gives a not found error. My guess would be the something within PRTG is hard-coded to use /, so if you're not using the root of a domain or subdomain it's going to break.
Votes:
0
Not tested with URL path proxying yet. So yes, this setup only works with a (sub-)domain.
Votes:
0
I'm curious as to why we need to turn off SSL for the PRTG web interface? Before finding this article, I left SSL on and configured Nginx to redirect proxy_pass to my PRTG server on HTTPS.
This *appears* to work in my setup, so is the recommendation simply to reduce overhead of encryption/decryption? or is it for another reason I'm not understanding.
Having SSL on the website is helpful for a number of reasons; Chrome (my preferred browser) moans a lot when using non-HTTPS sites. Also, Chrome's built-in ability to suggest saved passwords won't work if the site is non-HTTPS.
Thanks.
Votes:
0
Hi there,
This is hard to tell, the guide is already 3 years old and things can change. If the setup works with enabled SSL, then keep it that way.
Best regards.
Votes:
0
Hello Jason,
Probes communicate with the probe on TCP 23560, see:
https://kb.paessler.com/en/topic/69754-remote-probe-connection
Are your probes disconnected completely after implementing this?
Regards, Oscar
Add comment