Can't get Parent/child config. behind nginx with SSL streaming working.

gaelteractys · December 6, 2021, 11:20am

Hello

Environment

Ubuntu 20.04 kickstart install
Parent/child config working

Problem/Question

Using this configuration :

netdata.conf :

ssl key = /etc/netdata/key.pem
ssl certificate = /etc/netdata/cert.pem
bind to = 127.0.0.1:19999=dashboard|netdata.conf example.com:19998=streaming^SSL=force

While behind an nginx reverse proxy with recommended conf in the docs for a subfolder to an existing virtual host (Running Netdata behind Nginx | Learn Netdata)

Streaming works fine on 19998.
However Netdata answers http 301 to nginx’s non ssl requests :

2021-12-06 11:32:01: 3: 3727669 '[localhost]:43122' 'DATA' (sent/all = 251/498 bytes -50%, prep/sent/total = 0.08/0.26/0.34 ms) 301 '/netdata.conf'

This breaks access to the dashboard.

I get the same issue when running the following :

curl http://locahost:19999/netdata.conf

=> HTTP/1.1 301 Moved Permanently
Location: https://localhost:19999/netdata.conf

I expect no redirection since port 19999 has no SSL option in my “bind to”

Did I miss something ?

Thiago_Marques_0 · December 6, 2021, 3:38pm

Hello,

When I worked with nginx I also had to configure my /etc/nginx/nginx.conf, this was the configuration I used:

server {
        listen       8081 ssl;
        server_name  localhost;
        stub_status;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #location / {
        #    root   /var/www/html;
        #    index  index.html index.htm;
        #}

                #auth_basic           "Administrator’s Area";
        #auth_basic_user_file /etc/nginx/.htpasswd;
        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https; #New
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
            gzip on;
            gzip_proxied any;
            gzip_types *;
            rewrite ^/netdata(/.*)$ $1 break;
            proxy_pass http://localhost:20000;
         }

         #ssl on;
         ssl_certificate /etc/nginx/cert.pem;
         ssl_certificate_key /etc/nginx/key.pem;

        #error_page  404              /404.html;
        location = /50x.html {
            root   /var/www/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    }

And my netdata parent had the following configuration:

[web]
        ssl key = /etc/netdata/ssl/key.pem
        ssl certificate = /etc/netdata/ssl/cert.pem
       bind to = *=dashboard|registry|streaming|management|netdata.conf|badges *:20000=dashboard|registry|streaming|netdata.conf|badges|management^SSL=optional *:20001=dashboard|registry|streaming|badges|management^SSL=force unix:/tmp/netdata/netdata.sock *:20002=streaming^SSL=optional

You can use the same SSL/TLS certificates for netdata and nginx, but the best is to have different certificates.

Best regards!

gaelteractys · December 6, 2021, 3:48pm

Thanks for your answer but tuning the nginx conf shouldn’t improve anything to the local curl part :

gaelteractys:

I get the same issue when running the following :
curl http://locahost:19999/netdata.conf
=> HTTP/1.1 301 Moved Permanently
Location: https://localhost:19999/netdata.conf

I expect no redirection since port 19999 has no SSL option in my “bind to”

Thiago_Marques_0 · December 7, 2021, 2:12pm

Hello,

Let me explain for you what is happening. When Netdata is using TLS/SSL, and you try to access http instead https, you will be redirected for https request. The 301 that you are receiving is the redirect for the new location. When browsers receive this message, they follow to new address.

Best regards!

gaelteractys · December 7, 2021, 3:17pm

Hello,
I’d agree with you if I set my “bind to” to use SSL on both ports. But this is not the case.

As per my “bind to” config,

bind to = 127.0.0.1:19999=dashboard|netdata.conf example.com:19998=streaming^SSL=force

I don’t expect to be redirected to https on 19999.

All in all I want to http on dashboard/netdata.conf and force SSL for streaming.

Regards

ilyam8 · December 7, 2021, 6:45pm

Hi, @gaelteractys. I think ^SSL=optional will solve the issue. The option is described in TLS/SSL enforcement doc.

SSL setting	HTTP requests	HTTPS requests	Unencrypted Streams	Encrypted Streams
none	Redirected to HTTPS	Accepted	Accepted	Accepted
`force`	Redirected to HTTPS	Accepted	Denied	Accepted
`optional`	Accepted	Accepted	Accepted	Accepted

gaelteractys · December 8, 2021, 10:15am

That’s exactly what I missed !
For some reason I didn’t see this :

When the certificates are defined and unless any other options are provided, a Netdata server will:

Redirect all incoming HTTP web server requests to HTTPS. Applies to the dashboard, the API, netdata.conf and badges.

Allow incoming child connections to use both unencrypted and encrypted communications for streaming.

Thanks a lot.

Topic		Replies	Views
Mixed plain and SSLed data streaming issue Help agent , streaming	2	315	June 16, 2023
SSL stream between docker node Help agent	3	381	March 2, 2023
Properly running parent/child nodes Help agent	7	1653	June 15, 2021
Adding Netdata to existing nginx server Help agent , configuration , installation	2	1338	July 30, 2022
Stream child metric to parent in Kubernetes Help k8s-monitoring , agent-streaming , agent	2	846	September 11, 2020

Can't get Parent/child config. behind nginx with SSL streaming working.

Environment

Problem/Question

Related Topics