Recommendation for Monit UI (2812) in production?

Issue #849 new
Former user created an issue

Not sure if this is right place to ask a question.

Are there any recommendations for using Monit UI on a production server? Are there any authentication approaches other than password?

Comments (1)

  1. Henning Bopp

    My preferred approach is not letting any software beside my primary HTTPd (= nginx) communicate with the outside world.

    So I always keep a reverse proxy layer between my monit and the outer world. I prefer this approach, because HTTP-Attacks are often seen in-the-wild and implementing a secure HTTPd is (in my believe) not the first target in monit-dev.

    Configuring this in nginx is straight forward (if you exclude the ssl config):

    server {
        listen 443 http2;
        server_name monit.boppy.eu;
    
        ## SSL CONFIG
        ssl_certificate             /srv/certs/monit.boppy.eu/fullchain.cer;
        ssl_certificate_key         /srv/certs/monit.boppy.eu/monit.boppy.eu.key;
    
        ssl_session_timeout         10m;
        ssl_session_cache           shared:SSL:10m;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_prefer_server_ciphers   on;
        ssl_dhparam                 /etc/nginx/params/dhparam.pem;
        ssl_ecdh_curve              secp384r1;
        ssl_session_tickets         off;
        ssl_stapling                on;
        ssl_stapling_verify         on;
        resolver                    8.8.8.8 8.8.4.4;
        resolver_timeout            5s;
        ## /SSL
    
        access_log /var/log/nginx/boppy.eu__monit__access.log main;
        error_log /var/log/nginx/boppy.eu__monit__error.log;
    
        ## Basic auth
        auth_basic           "monit";
        auth_basic_user_file /srv/assets/private/.monit.pwd;
        ## /Basic
    
        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $server_name;
    
            proxy_pass http://127.0.0.1:2812;
        }
    }
    

    Note: The ssl config will give you an A+ rating over at Qualys SSL Labs Test; If you want to use it, source it out as a param file to include it everywhere you need it. As SSL is free nowadays, I do never run any service without it...

    To NOT allow external logins directly to the monit interface, you want to limit the allowed hosts in monitrc

    set httpd port 2812 and
        use address 127.0.0.1 # <--- binds 127.0.0.1 instead of 0.0.0.0
        allow 127.0.0.1 # <--- only allows connection from local. So cli and any script accessing the web-api will keep working!
    

    PS: Apache also provides reverse proxy support with mod_proxy. Due to the better approach at handling connections I prefer nginx over apache and never used the module...

  2. Log in to comment