Hello, I find that when I enable Apache2 headers module, Monit GUI inside ISPConfig v3 is blocked. Apache2 module headers is required to provide web site cache control. Now, my question is: How do I configure module headers to avoid blocking Monit GUI? My system is: Ubuntu 20.04.2, ISPConfig v3.2.5.
I believe headers is required for ispconfig itself, it should always be on. There have been a handful of posts on access to monit in the last year or so which you can search up; I don't remember the specifics, and haven't tried to set it up in a few years personally.
I see. It is still a security measure of modern browsers to block in-frame credential submission. Perhaps, it is a security feature rather than an issue.
It seems there may have been a pretty simple configuration to address that. I had a more complex way using a reverse proxy that worked and addressed the security issues, but was probably too complicated for most folks to bother with (and in the end, I never use the monit ui anyways...).
This I have discussed before and the solution is to set your ip in monitrc where 0.0.0.0 is for all to access. I already give few samples on this in my previous posts. I will provide them later if you cannot find them.
Your method is so complicated that I will probably corrupt my system. The simplest method is to give up in-frame GUI and use full page auth method.
Yes, mine is the same as yours. No matter what I did, once I disable apache2 headers module, in-frame Monit GUI will appears! The focus is headers module.
Noted. I did nothing to ispconfig.vhost though but mine is running nginx instead of apache2 so I don't have that apache2 header module.
Hey Guys! A very simple method suddenly comes up to my mind! If we load apache2 headers module globally in apache2 main conf, how do we unload it precisely in https:// ispconfigserver.example.com:8080/ ? I know there is a standard method to do this but how?!?
You don't want to eliminate the headers module, or you loose very common, and often required, functionality. You also reduce your security. With the behavior you describe, it's likely one of the security headers which causes the issue with monit, it would be better to just change the offending header so that monit functions. That is the simple solution I mentioned above, though I don't recall which header it was, I'd guess either X-Frame-Options or Content-Security-Policy (adjusting frame-src). You could try removing both those headers, see if monit works, and if so, add back one at a time to see which ones you need to work with. (I think there was a post in the forum here describing it .. in fact, after a quick search, it turns out to be in the same thread where I posted my overly complex setup.)
You don't want to eliminate the headers module, or you loose very common, and often required, functionality. You also reduce your security. With the behavior you describe, it's likely one of the security headers which causes the issue with monit, it would be better to just change the offending header so that monit functions. That is the simple solution I mentioned above, though I don't recall which header it was, I'd guess either X-Frame-Options or Content-Security-Policy (adjusting frame-src). You could try removing both those headers, see if monit works, and if so, add back one at a time to see which ones you need to work with. (I think there was a post in the forum here describing it .. in fact, after a quick search, it turns out to be in the same thread where I posted my overly complex setup.)
Yes, That guy's method is final and simplest. I have improved it as: Edit file /etc/apache2/sites-available/ispconfig.vhost so that Cheers! ISPConfig Team please append this to your next patch! This method loads Monit GUI very fast!
Want to log an issue before it's forgotten? To clarify, example.com is the domain you are running monit on? I wonder if the port can be specified, and likewise maybe should test using an ip address, but that seems like a good change to include.
To clarify, example.com is the top level domain of ISPConfig server installed on ispconfig.example.com. Using example.com seems more logical because an IP address is shared by many sites with their own domain names. My proposed codes confine itself to ispconfig.example.com Also /etc/apache2/sites-available/ispconfig.vhost is default to port 8080. There is no need to specify one more time.
