Recommendation for Monit UI (2812) in production?

Comments (1)

1. 

   Henning Bopp

   My preferred approach is not letting any software beside my primary HTTPd (= nginx) communicate with the outside world.

   So I always keep a reverse proxy layer between my monit and the outer world. I prefer this approach, because HTTP-Attacks are often seen in-the-wild and implementing a secure HTTPd is (in my believe) not the first target in monit-dev.

   Configuring this in nginx is straight forward (if you exclude the ssl config):

   server {
       listen 443 http2;
       server_name monit.boppy.eu;
   
       ## SSL CONFIG
       ssl_certificate             /srv/certs/monit.boppy.eu/fullchain.cer;
       ssl_certificate_key         /srv/certs/monit.boppy.eu/monit.boppy.eu.key;
   
       ssl_session_timeout         10m;
       ssl_session_cache           shared:SSL:10m;
       ssl_protocols               TLSv1.2 TLSv1.3;
       ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
       ssl_prefer_server_ciphers   on;
       ssl_dhparam                 /etc/nginx/params/dhparam.pem;
       ssl_ecdh_curve              secp384r1;
       ssl_session_tickets         off;
       ssl_stapling                on;
       ssl_stapling_verify         on;
       resolver                    8.8.8.8 8.8.4.4;
       resolver_timeout            5s;
       ## /SSL
   
       access_log /var/log/nginx/boppy.eu__monit__access.log main;
       error_log /var/log/nginx/boppy.eu__monit__error.log;
   
       ## Basic auth
       auth_basic           "monit";
       auth_basic_user_file /srv/assets/private/.monit.pwd;
       ## /Basic
   
       location / {
           proxy_redirect off;
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Forwarded-Host $server_name;
   
           proxy_pass http://127.0.0.1:2812;
       }
   }
   

   Note: The ssl config will give you an A+ rating over at Qualys SSL Labs Test; If you want to use it, source it out as a param file to include it everywhere you need it. As SSL is free nowadays, I do never run any service without it...

   To NOT allow external logins directly to the monit interface, you want to limit the allowed hosts in monitrc

   set httpd port 2812 and
       use address 127.0.0.1 # <--- binds 127.0.0.1 instead of 0.0.0.0
       allow 127.0.0.1 # <--- only allows connection from local. So cli and any script accessing the web-api will keep working!
   

   PS: Apache also provides reverse proxy support with mod_proxy. Due to the better approach at handling connections I prefer nginx over apache and never used the module...

   • 2019-10-01T11:21:29+00:00
2. Log in to comment