Monit window blank in ISPConfig web GUI

Discussion in 'Installation/Configuration' started by Thibaut, Nov 30, 2019.

  1. Thibaut

    Thibaut New Member

    I know that this subject has been discussed in this other thread (76160), unfortunately I don't seem to be allowed to reply there (You have insufficient privileges to reply here), and I cannot insert links either that's why I only inserted a reference to the thread :(
    Since the subject has not evolved since April, and since I am facing the exact problem that is described (modern browsers do not allow iframes passing login credentials in the URL anymore), I was wondering if a workaround was possible.

    The Monit configuration on the system is working correctly allowing access to https : // my.server.ip:2812, which is password protected...
    I saw the workaround for Munin was to symlink the Munin directory as a sub-directory inside ISPConfig's root directory.
    ln -s /var/cache/munin/www /usr/local/ispconfig/interface/web/munin
    This works because Munin is generating "real" html files that can be accessed using this workaround (although the graph zoom feature is broken).
    Monit being a "standalone" application generating its content on the fly and not using apache (or nginx) to serve its pages, I guess a workaround is much harder, or even impossible, to find?

    As @till replied in April in this other thread that a workaround might be presented in a future release, and since I think there have been 5 (minor) releases since then, I was wondering if any of the bright guys behind ISPConfig could figure out a solution to this problem?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I have a nice solution for apache that I should dig up and post. I started writing a tutorial for "everything" to setup beyond the debian 9 perfect server guide and can see that was a mistake, as the scope is way to big to complete, and in practice is never complete; some solutions and code exists nowhere else but that unfinished tutorial, and now I have almost no debian 9 servers left to reference in order to do so. The apache config and the monit config is pretty straightforward, though i think it relied on a lets encrypt certificate for the server which was setup and managed in separate places, so can't just cut&paste a solution as quickly. I'll try to get it put together sometime and post it.
    ahrasis likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    @Jesse Norell: Maybe split it into several small tutorials / topics?
    ahrasis likes this.
  4. Thibaut

    Thibaut New Member

    Hello @Jesse Norell,
    It would be SO GREAT if you could share what you've done to manage displaying the secured Monit page inside ISPConfig's Web GUI, even the "main lines" might possibly be sufficient to get me on the track and achieve it by myself!?
    Thanks already for your reply, looking forward reading more about your solution in hope that it might bring a functioning solution to a situation that, I guess, many users must be facing.
    Best regards.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I was going to try a more complete guide for just the monit/apache setup, but it's not quick, so here are some pieces you can work with. This should configure apache to proxy /monit/ to the local monit server on port 2812. Monit authenticates the apache requests by means of a client certificate, which has to be created and maintained. Apache authenticates the user by checking for a valid ispconfig login session, so you can only view /monit/ when you are logged in to ispconfig.

    In monit config, you'll need something like:
    set httpd port 2812 and
        use address localhost
        ssl enable
        pemfile /etc/ssl/private/monit.pem
        clientpemfile /etc/ssl/private/monit-clientpemfile.pem
        allow localhost
    set ssl {
        verify     : enable,
        selfsigned : allow    # slave servers are using self-signed certs for monit
    The monit related certificate files are maintained in some other scripts, but the relevant pieces are:
    LE_DIR=/etc/letsencrypt/live/$(hostname -f)
    function get_issuer_certs() {
      for F in ${@}
        if [ -f ${F} ]; then
          echo -n "${F} "
          F_HASH=$(${OPENSSL} x509 -hash -noout -in ${F})
          F_ISSUER_HASH=$(${OPENSSL} x509 -issuer_hash -noout -in ${F})
          if [ "${F_HASH}" != "${F_ISSUER_HASH}" ]; then
            get_issuer_certs ${F_ISSUER_HASH}
        elif [ -f /etc/ssl/certs/${F}.0 ]; then
          get_issuer_certs /etc/ssl/certs/${F}.*
          echo "get_issuer_certs: unknown input: ${F}" 1>&2
    LE_ISSUER_HASH=$(${OPENSSL} x509 -issuer_hash -noout -in ${LE_CHAIN})
    LE_ISSUER_CERTS=$(get_issuer_certs ${LE_ISSUER_HASH})
    # copies/formats the letsencrypt files for monit
    function setup_cert_monit() {
      # this is the certificate used by monit httpd
      cat ${LE_KEY} ${LE_FULLCHAIN} > ${MONIT_CERT}
      ${OPENSSL} dhparam 1024 >> ${MONIT_CERT} 2>/dev/null
      chown root:root ${MONIT_CERT}
      chmod 600 ${MONIT_CERT}
      # this is the pemfile to verify clients, both apache and monit cli
      ${OPENSSL} rsa -in ${LE_KEY} -out ${MONIT_CLIENTPEMFILE}.key 2>&1 | grep -v 'writing RSA key' 1>&2
      rm -f ${MONIT_CLIENTPEMFILE}.key
      chown root:root ${MONIT_CLIENTPEMFILE}
      chmod 600 ${MONIT_CLIENTPEMFILE}
    Something then should run whenever the letsencrypt certificate for the server is updated to rebuild this and restart monit (there are many ways, @ahrasis has a commonly referenced howto/script which could be modified to do it, or I have posted some which check the certificate in use and restart services if needed, or you could probably just create a little certbot hook which does it right when the certificate is updated).

    To be continued.... (can't put this all in one post here, 10k character limit)
    ahrasis likes this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The last piece (unless I overlooked something :) is the apache setup. I'll just cut & paste that section from the tutorial document and try to clean up formatting, though sometimes things don't just paste from one wysiwyg to the next, so if something seems weird/wrong just holler and I can paste from the original source files, etc.:

    We will setup a proxy connection for /monit to the local monit server.

    Disable forward proxies
    First secure the proxy config so forward proxies won't run; create /etc/apache2/conf-available/proxyrequests.conf with:
    <IfModule mod_proxy.c>
        ProxyRequests Off
    /monit config
    Now the /monit proxy configuration. There is a nice config for a /monit proxy in a virtual host at which this is loosely based on, but we change from the default monit username/password authentication to certificate based authentication, and add session checking so that you must be logged into ISPConfig in order to view /monit.

    Note this config includes your ispconfig mysql password, which can be found in /usr/local/ispconfig/server/lib/
    grep -E '^\$conf\[.db_(database|user|password)' /usr/local/ispconfig/server/lib/
    Save as /etc/apache2/conf-available/ispconfig-monit.conf and change YOUR_DB_PASSWORD:
    # conf-available/ispconfig-monit.conf: configures /monit proxy to local monit server.
    # this file is included by the ISPConfig vhost,
    # it is not intended to be enabled globally (do not a2enconf this file)
    <IfModule mod_dbd.c>
      <IfModule mod_authz_dbd.c>
        # mod_dbd configuration
        DBDriver mysql
        DBDParams "dbname=dbispconfig user=ispconfig pass=YOUR_DB_PASSWORD"
        DBDMin 4
        DBDKeep 8
        DBDMax 20
        DBDExptime 300
        <IfModule mod_setenvif.c>
          SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1
        <IfModule mod_proxy_http.c>
          ProxyMaxForwards 5
          SSLProxyEngine On
          SSLProxyMachineCertificateFile "/etc/ssl/private/apache-proxymachine.pem"
          SSLProxyCACertificateFile "/etc/ssl/private/apache-proxymachine.pem"
          <Location /monit>
            ProxyPass ""
            ProxyPassReverse ""
            ProxyPreserveHost On
            ProxyPassReverseCookiePath "/" "/monit/"
            <IfModule mod_auth_env.c>
              AuthType Env
              AuthEnvUser phpsessid
              Require env phpsessid
              Require dbd-group monit
            AuthzDBDQuery "SELECT 'monit' FROM sys_session WHERE session_id = %s and session_data like '%%monitor/show_monit.php%%'"
            <IfModule mod_headers.c>
              Header set Cache-Control "no-cache, no-store, max-age=0, must-revalidate"
              Header set Pragma no-cache
              Header set Expires 0
    This configuration uses authz_dbd to check the session to see if it is currently logged into ISPConfig and allowed to view monit, and it requires mod_auth_env, which is not currently available as a debian package, so download, compile and install it:

    apt-get install apache2-dev
    my_tmp=`mktemp -d`
    pushd $my_tmp
    cd mod_auth_env-master/
    debian/rules binary
    cd ..
    dpkg -i libapache2-mod-auth-env*.deb 
    rm -r $my_tmp
    ProxyMachine certificate
    The proxy config also specifies a certificate (/etc/ssl/private/apache-proxymachine.pem) used to authenticate apache to monit, so we'll need to generate that. Save as /usr/local/sbin/

    umask 077
    LE_CERT="/etc/letsencrypt/live/`hostname -f`/cert.pem"
    LE_CHAIN="/etc/letsencrypt/live/`hostname -f`/chain.pem"
    LE_FULLCHAIN="/etc/letsencrypt/live/`hostname -f`/fullchain.pem"
    LE_KEY="/etc/letsencrypt/live/`hostname -f`/privkey.pem"
    TMP_CRT="`mktemp ${APACHE_PEM}-crt.XXXXXXX`"
    TMP_KEY="`mktemp ${APACHE_PEM}-key.XXXXXXX`"
    if [ ! -f ${TMP_KEY} -o ! -f ${TMP_CRT} ]
      echo "unable to create tmp files to generate new key/certificate" 1>&2
      exit 1
    O=`hostname -d`
    CN=`hostname -f`
    openssl req -x509 -days 400 -nodes -newkey rsa:2048 -keyout ${TMP_KEY} -out ${TMP_CRT} -subj ${SUBJ} 2>/dev/null
    # Apache needs rsa key then crt
    openssl rsa -in ${TMP_KEY} -out ${APACHE_PEM} 2>/dev/null
    cat ${TMP_CRT} >> ${APACHE_PEM}
    # Monit clientpemfile needs crt for apache and crt chain for monit cli
    if [ -f ${LE_KEY} -a -f ${LE_FULLCHAIN} ]
    function get_issuer_certs() {
      for F in ${@}
        if [ -f ${F} ]; then
          echo -n "${F} "
          F_HASH=`openssl x509 -hash -noout -in ${F}`
          F_ISSUER_HASH=`openssl x509 -issuer_hash -noout -in ${F}`
          if [ "${F_HASH}" != "${F_ISSUER_HASH}" ]; then
            get_issuer_certs ${F_ISSUER_HASH}
        elif [ -f ${CERTS}/${F}.0 ]; then
          get_issuer_certs ${CERTS}/${F}.*
          echo "get_issuer_certs: unknown input: ${F}" 1>&2
    if [ -f ${LE_CHAIN} ]
      cat `get_issuer_certs ${LE_CHAIN}` >> ${MONIT_CLIENTPEM}
    chown root:root ${APACHE_PEM} ${MONIT_CLIENTPEM}
    chmod 600 ${APACHE_PEM} ${MONIT_CLIENTPEM}
    rm ${TMP_CRT} ${TMP_KEY}
    Enable and reload
    Now set file permissions, enable our apache config and modules, and run that script to generate the certificate:
    chown root:root /etc/apache2/conf-available/ispconfig-monit.conf
    chmod 640 /etc/apache2/conf-available/ispconfig-monit.conf
    chmod +x /usr/local/sbin/
    apt-get install libaprutil1-dbd-mysql
    a2enconf proxyrequests
    a2enmod proxy_http authz_dbd auth_env
    # note we do NOT a2enconf ispconfig-monit
    service apache2 restart
    service monit restart
    conf-custom file
    One of the first things we did in this tutorial was modify the ispconfig vhost file to include /etc/apache2/conf-available/ispconfig-*.conf files, but that needs to be made permanent:
    wget -O /usr/local/ispconfig/server/conf-custom/apache_ispconfig.vhost.master
    sed -i -e "/ServerAdmin/a\\ 
      ServerName `hostname -f`\\
      IncludeOptional conf-available/ispconfig-*.conf" /usr/local/ispconfig/server/conf-custom/apache_ispconfig.vhost.master
    ISPConfig configuration
    Now apache and monit should be ready, the only thing remaining is to set the monit url in ISPConfig. Under System > Server Config > {} set the Monit URL to: https://[SERVERNAME]/monit/ (leave the literal [SERVERNAME] placeholder). The Monit user and password should be empty.

    That should be everything, wait a couple minutes since monit was just restarted, then head over to Monitor > Monit and it should be working.

    Note from the original tutorial you would have already run something like this, but is missing here:
    sed -i -e "/ServerAdmin/a\\ 
      ServerName `hostname -f`\\
      IncludeOptional conf-available/ispconfig-*.conf" /etc/apache2/sites-available/ispconfig.vhost
    service apache2 restart
    ahrasis likes this.
  7. Thibaut

    Thibaut New Member

    Thank you very much @Jesse Norell !
    Since the operation is a little complex, I'll follow those instructions as soon as I can and will report back on how it went for me.
  8. francoisPE

    francoisPE Active Member HowtoForge Supporter

    As Thibault said, that is quite complex ! I failed in #5 as I don't understand where to implement "ssl script".
    Is there something simplified with ispconfig 3.2 ?
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, but we are aware of the issue and looking into the best fix - there is some code that might work, otherwise, we will probably remove the function from ISPConfig.
    See aswell.
  10. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Well done : sure you will succeed ! ISP team is so amazing :)
    as a remark : Munin is working for me. I see it in ispconfig3.2 on ubuntu 18.04 + firefox browser
    Th0m likes this.
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i believe you can do it a lot more simply. at least, i have it working on my servers, i'm using the same wildcard certificate on ispconfig and monit, with the following added to the end of/etc/apache2/apache2.conf
    Header always append X-Frame-Options SAMEORIGIN
    Header set Content-Security-Policy "frame-ancestors 'self' domain.tld"
    where domain.tld is the domain the both ispconfig and monit have their subdomains on.
    ahrasis likes this.
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I've added your note to the issue on gitlab :)
  13. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ok, but don't take it as gospel that that's all that's needed to make it work... it was done a long time ago, when i know i had problems getting monit to display in the ispconfig control panel.

    i also have this in the apache2.conf file as well: #Header always append X-Frame-Options ALLOW
    it's a very stable server, no changes for ages, so i can't be 100% sure if apache was reloaded/restarted when changing which one of those was commented out, or even that something else was done to get it to work. but that's all that i can see looking back over all the config now, guess i should have kept notes when i was working on it... :(

    i certainly didn't do anything as complicated as jesse's instructions. definitely nothing requiring anything in conf-custom, and no changes to the monit config either.

Share This Page