archive
/
netdata_netdata
mirror of https://github.com/netdata/netdata.git
0
0
Fork 0
Code Issues Projects Releases Wiki Activity
netdata_netdata/docs/Running-behind-haproxy.md

298 lines
8.2 KiB
Markdown
Raw Permalink Blame History

<!--
title: "Netdata via HAProxy"
custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/Running-behind-haproxy.md"
sidebar_label: "Netdata via HAProxy"
learn_status: "Published"
learn_topic_type: "Tasks"
learn_rel_path: "Configuration/Secure your nodes"
-->
# Netdata via HAProxy
> HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
> and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic websites
> and powers quite a number of the world's most visited ones.
If Netdata is running on a host running HAProxy, rather than connecting to Netdata from a port number, a domain name can
be pointed at HAProxy, and HAProxy can redirect connections to the Netdata port. This can make it possible to connect to
Netdata at `https://example.com` or `https://example.com/netdata/`, which is a much nicer experience then
`http://example.com:19999`.
To proxy requests from [HAProxy](https://github.com/haproxy/haproxy) to Netdata,
the following configuration can be used:
## Default Configuration
For all examples, set the mode to `http`
```conf
defaults
mode http
```
## Simple Configuration
A simple example where the base URL, say `http://example.com`, is used with no subpath:
### Frontend
Create a frontend to receive the request.
```conf
frontend http_frontend
## HTTP ipv4 and ipv6 on all ips ##
bind :::80 v4v6
default_backend netdata_backend
```
### Backend
Create the Netdata backend which will send requests to port `19999`.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Configuration with subpath
An example where the base URL is used with a subpath `/netdata/`:
### Frontend
To use a subpath, create an ACL, which will set a variable based on the subpath.
```conf
frontend http_frontend
## HTTP ipv4 and ipv6 on all ips ##
bind :::80 v4v6
# URL begins with /netdata
acl is_netdata url_beg /netdata
# if trailing slash is missing, redirect to /netdata/
http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
## Backends ##
use_backend netdata_backend if is_netdata
# Other requests go here (optional)
# put netdata_backend here if no others are used
default_backend www_backend
```
### Backend
Same as simple example, except remove `/netdata/` with regex.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-path %[path,regsub(^/netdata/,/)]
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Using TLS communication
TLS can be used by adding port `443` and a cert to the frontend.
This example will only use Netdata if host matches example.com (replace with your domain).
### Frontend
This frontend uses a certificate list.
```conf
frontend https_frontend
## HTTP ##
bind :::80 v4v6
# Redirect all HTTP traffic to HTTPS with 301 redirect
redirect scheme https code 301 if !{ ssl_fc }
## HTTPS ##
# Bind to all v4/v6 addresses, use a list of certs in file
bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
## ACL ##
# Optionally check host for Netdata
acl is_example_host hdr_sub(host) -i example.com
## Backends ##
use_backend netdata_backend if is_example_host
# Other requests go here (optional)
default_backend www_backend
```
In the cert list file place a mapping from a certificate file to the domain used:
`/etc/letsencrypt/certslist.txt`:
```txt
example.com /etc/letsencrypt/live/example.com/example.com.pem
```
The file `/etc/letsencrypt/live/example.com/example.com.pem` should contain the key and
certificate (in that order) concatenated into a `.pem` file.:
```sh
cat /etc/letsencrypt/live/example.com/fullchain.pem \
/etc/letsencrypt/live/example.com/privkey.pem > \
/etc/letsencrypt/live/example.com/example.com.pem
```
### Backend
Same as simple, except set protocol `https`.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request add-header X-Forwarded-Proto https
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Enable authentication
To use basic HTTP Authentication, create an authentication list:
```conf
# HTTP Auth
userlist basic-auth-list
group is-admin
# Plaintext password
user admin password passwordhere groups is-admin
```
You can create a hashed password using the `mkpassword` utility.
```sh
printf "passwordhere" | mkpasswd --stdin --method=sha-256
$5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1
```
Replace `passwordhere` with hash:
```conf
user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
```
Now add at the top of the backend:
```conf
acl devops-auth http_auth_group(basic-auth-list) is-admin
http-request auth realm netdata_local unless devops-auth
```
## Full Example
Full example configuration with HTTP auth over TLS with subpath:
```conf
global
maxconn 20000
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
pidfile /run/haproxy.pid
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
daemon
tune.ssl.default-dh-param 4096 # Max size of DHE key
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https_frontend
## HTTP ##
bind :::80 v4v6
# Redirect all HTTP traffic to HTTPS with 301 redirect
redirect scheme https code 301 if !{ ssl_fc }
## HTTPS ##
# Bind to all v4/v6 addresses, use a list of certs in file
bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
## ACL ##
# Optionally check host for Netdata
acl is_example_host hdr_sub(host) -i example.com
acl is_netdata url_beg /netdata
http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
## Backends ##
use_backend netdata_backend if is_example_host is_netdata
default_backend www_backend
# HTTP Auth
userlist basic-auth-list
group is-admin
# Hashed password
user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
## Default server(s) (optional)##
backend www_backend
mode http
balance roundrobin
timeout connect 5s
timeout server 30s
timeout queue 30s
http-request add-header 'X-Forwarded-Proto: https'
server other_server 111.111.111.111:80 check
backend netdata_backend
acl devops-auth http_auth_group(basic-auth-list) is-admin
http-request auth realm netdata_local unless devops-auth
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-path %[path,regsub(^/netdata/,/)]
http-request add-header X-Forwarded-Proto https
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
Reference in New Issue View Git Blame Copy Permalink