Netdata Community

Can't get Parent/child config. behind nginx with SSL streaming working.

Hello

Environment

Ubuntu 20.04 kickstart install
Parent/child config working

Problem/Question

Using this configuration :

netdata.conf :

ssl key = /etc/netdata/key.pem
ssl certificate = /etc/netdata/cert.pem
bind to = 127.0.0.1:19999=dashboard|netdata.conf example.com:19998=streaming^SSL=force

While behind an nginx reverse proxy with recommended conf in the docs for a subfolder to an existing virtual host (Running Netdata behind Nginx | Learn Netdata)

Streaming works fine on 19998.
However Netdata answers http 301 to nginx’s non ssl requests :

2021-12-06 11:32:01: 3: 3727669 '[localhost]:43122' 'DATA' (sent/all = 251/498 bytes -50%, prep/sent/total = 0.08/0.26/0.34 ms) 301 '/netdata.conf'

This breaks access to the dashboard.

I get the same issue when running the following :

curl http://locahost:19999/netdata.conf

=> HTTP/1.1 301 Moved Permanently
Location: https://localhost:19999/netdata.conf

I expect no redirection since port 19999 has no SSL option in my “bind to”

Did I miss something ?

Hello,

When I worked with nginx I also had to configure my /etc/nginx/nginx.conf, this was the configuration I used:

server {
        listen       8081 ssl;
        server_name  localhost;
        stub_status;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #location / {
        #    root   /var/www/html;
        #    index  index.html index.htm;
        #}

                #auth_basic           "Administrator’s Area";
        #auth_basic_user_file /etc/nginx/.htpasswd;
        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https; #New
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
            gzip on;
            gzip_proxied any;
            gzip_types *;
            rewrite ^/netdata(/.*)$ $1 break;
            proxy_pass http://localhost:20000;
         }

         #ssl on;
         ssl_certificate /etc/nginx/cert.pem;
         ssl_certificate_key /etc/nginx/key.pem;

        #error_page  404              /404.html;
        location = /50x.html {
            root   /var/www/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    }

And my netdata parent had the following configuration:

[web]
        ssl key = /etc/netdata/ssl/key.pem
        ssl certificate = /etc/netdata/ssl/cert.pem
       bind to = *=dashboard|registry|streaming|management|netdata.conf|badges *:20000=dashboard|registry|streaming|netdata.conf|badges|management^SSL=optional *:20001=dashboard|registry|streaming|badges|management^SSL=force unix:/tmp/netdata/netdata.sock *:20002=streaming^SSL=optional

You can use the same SSL/TLS certificates for netdata and nginx, but the best is to have different certificates.

Best regards!

Thanks for your answer but tuning the nginx conf shouldn’t improve anything to the local curl part :

Hello,

Let me explain for you what is happening. When Netdata is using TLS/SSL, and you try to access http instead https, you will be redirected for https request. The 301 that you are receiving is the redirect for the new location. When browsers receive this message, they follow to new address.

Best regards!

Hello,
I’d agree with you if I set my “bind to” to use SSL on both ports. But this is not the case.

As per my “bind to” config,

bind to = 127.0.0.1:19999=dashboard|netdata.conf example.com:19998=streaming^SSL=force

I don’t expect to be redirected to https on 19999.

All in all I want to http on dashboard/netdata.conf and force SSL for streaming.

Regards

Hi, @gaelteractys. I think ^SSL=optional will solve the issue. The option is described in TLS/SSL enforcement doc.

SSL setting HTTP requests HTTPS requests Unencrypted Streams Encrypted Streams
none Redirected to HTTPS Accepted Accepted Accepted
force Redirected to HTTPS Accepted Denied Accepted
optional Accepted Accepted Accepted Accepted

That’s exactly what I missed !
For some reason I didn’t see this :

When the certificates are defined and unless any other options are provided, a Netdata server will:

  • Redirect all incoming HTTP web server requests to HTTPS. Applies to the dashboard, the API, netdata.conf and badges.
  • Allow incoming child connections to use both unencrypted and encrypted communications for streaming.

Thanks a lot.