1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

httpd behind nginx proxy real-ip

Issue #1050 new
Miquel Martin created an issue

I’m trying to configure monit httpd behind nginx proxy_pass.

Is it possible to set monit httpd to get client ip from x-real-ip header?

Otherwise how would I restrict connections from some ip’s?

nginx configuration:

    location / {
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header Host             $http_host;
        proxy_set_header X-NginX-Proxy    true;

        proxy_connect_timeout       1s;
        proxy_send_timeout          30s;
        proxy_read_timeout          300s;
        send_timeout                300s;

        proxy_redirect off;
        proxy_pass http://127.0.0.1:2812/;
    }

The other problem is that in logs it shows the ip from proxy, so I can’t configure fail2ban to ban ip’s from failed login attempts.

$ tail -f /var/log/monit.log 
[UTC Oct 29 07:12:01] error    : HttpRequest: access denied -- client [127.0.0.1]: unknown user 'asdf'

Comments (2)

  1. Lutz Mader

    Hello Miquel Martin,
    you can restrict the access to some addresses in the monit config file by the "allow" statement in the "set httpd" option. But I don't know how handle nginx, sorry.

    Otherwise how would I restrict connections from some ip’s?

    Some additional information are available in
    https://mmonit.com/monit/documentation/monit.html#MONIT-HTTPD

    Is there a reason to use nginx.

    With regards,
    Lutz

  2. Henning Bopp

    For me, the nginx is on of the very few "edge" apps that are allowed for external connections. So every http(s) connection is always tunneled through my nginx. It simply makes it possible to have multiple services on a single port, and having a single point for logging and AAA.

    That being said, I only rely on the edge-logs, never the service logs. Login and user-management is done inside the nginx, while my monit instances are always non-protected (since not reachable from outside). fail2ban also only relys on the log files the edge nginx creates.

    One of my monit nginx confs is:

    server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name monit.example.com;

    include             params/ssl;
    ssl_certificate     certs/monit.example.com/fullchain.cer;
    ssl_certificate_key certs/monit.example.com/monit.example.com.key;

    access_log          logs/example.com__monit__access.log main;
    error_log           logs/example.com__monit__error.log;
    # ^^ fail2ban can analyse this file

    auth_basic              "auth, pweeese!";
    auth_basic_user_file    pwds/basic.pwd;
    # ^^ auth is done with basic auth, but on the edge, not monit

    location / {
        include params/proxy_full;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:2812;
        include params/header;
    }
}

    The error.log will contain lines like:

    2023/04/26 09:44:25 [error] 3949691#3949691: *279590 user "non-existing" was not found in "/usr/local/openresty/nginx/conf/pwds/basic.pwd", client: 2a01::17, server: monit.example.com, request: "GET / HTTP/2.0", host: "monit.example.com"
2023/04/26 09:45:44 [error] 3949691#3949691: *279610 user "boppy": password mismatch, client: 2a01::17, server: monit.example.com, request: "GET / HTTP/2.0", host: "monit.example.com"
  3. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Component
Monit
Version
5.32.0
Votes
0
Watchers
2