tips_and_howtos:icinga_apache_ssl

I just set up a new Icinga 2 monitoring environment using zones and all goodies and while it may be a trivial thing to set it up to Apache with mod_ssl it always has the same overhead effort to browse thru. So better write it down for myself and you as a shortcut.

This short guide shows how to make Icinga Web 2 work with Apache using SSL encryption and redirecting users from http to https. I am using CentOS 7 but this should go straight to Red Hat 7 and with a little effort to other distros too.

Install mod_ssl and openssl.

yum install mod_ssl openssl

Remove the ssl.conf as we will set it all up to icingaweb conf file. Better keep custom stuff in one place.

rm /etc/httpd/conf.d/ssl.conf

Set up certificates to their respective locations under /etc/pki.

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:80>
        ServerName icinga.mydomain.com
        Redirect permanent / https://icinga.mydomain.com/
</VirtualHost>


<VirtualHost _default_:443>
        ServerName icinga.mydomain.com
        DocumentRoot "/var/www/html"
        Alias /icingaweb2 "/usr/share/icingaweb2/public"
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
        SSLCertificateFile /etc/pki/tls/certs/yourcert.crt
        SSLCertificateKeyFile /etc/pki/tls/private/yourkey.key
        SSLCACertificateFile /etc/pki/tls/certs/yourca.crt
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        <IfVersion < 2.4>
                # Forward PHP requests to FPM
                SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
                <LocationMatch "^/icingaweb2/(.*\.php)$">
                        ProxyPassMatch "fcgi://127.0.0.1:9000/usr/share/icingaweb2/public/$1"
                </LocationMatch>
        </IfVersion>

        <Directory "/usr/share/icingaweb2/public">
                Options SymLinksIfOwnerMatch
                AllowOverride None

                DirectoryIndex index.php

                <IfModule mod_authz_core.c>
                        # Apache 2.4
                        <RequireAll>
                                Require all granted
                        </RequireAll>
                </IfModule>

                <IfModule !mod_authz_core.c>
                        # Apache 2.2
                        Order allow,deny
                        Allow from all
                </IfModule>

                SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

                EnableSendfile Off

                <IfModule mod_rewrite.c>
                        RewriteEngine on
                        RewriteBase /icingaweb2/
                        RewriteCond %{REQUEST_FILENAME} -s [OR]
                        RewriteCond %{REQUEST_FILENAME} -l [OR]
                        RewriteCond %{REQUEST_FILENAME} -d
                        RewriteRule ^.*$ - [NC,L]
                        RewriteRule ^.*$ index.php [NC,L]
                </IfModule>

                <IfModule !mod_rewrite.c>
                        DirectoryIndex error_norewrite.html
                        ErrorDocument 404 /icingaweb2/error_norewrite.html
                </IfModule>

                <IfVersion >= 2.4>
                        # Forward PHP requests to FPM
                        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
                        <FilesMatch "\.php$">
                                SetHandler "proxy:fcgi://127.0.0.1:9000"
                                ErrorDocument 503 /icingaweb2/error_unavailable.html
                        </FilesMatch>
                </IfVersion>
        </Directory>
</VirtualHost>

Check config, restart Apache and test with your browser https://icinga.yourcomain.com/icingaweb2

apachectl configtest
apachectl restart

All comments and corrections are welcome.

  • tips_and_howtos/icinga_apache_ssl.txt
  • Last modified: 2021/10/24 13:51
  • by 127.0.0.1