Pnp4nagios graphs in distribututed monitoring not shown - strict-origin-when-cross-origin

Troubleshooting
1

Hello

I have 3 check_mk sites setup - one “overview” site, plus one server for each physical site.

I generally use the “overview” site for monitoring, configuration, etc.

I am not able to view the graphs of the remote site. Chrome is giving me “Content is blocked” error, and debug tools tell me it’s hitting the CSP policy " Referrer Policy: strict-origin-when-cross-origin".

There are old topics that discuss updating the pnp4nagios graph URL in multisite.mk, but the referenced files are empty, having been configured with WATO.

I was considering modifying the apache configuration to allow the CSP, but assumed any changes would get overwritten next time I update CMK.

Any direction on how to address?

Thanks!

2

First step is to check the defined “URL prefix” inside your definition of the distributed sites.
This should a relative prefix like “/worker1/”.
If you have done this you also need a reverse proxy / rewrite configuration inside your system Apache.
It is needed that your Apache knows how to handle the /worker1/ prefix.

This is the link to the manual article.

3

Thanks for the reference! The reverse proxy part hadn’t been setup.

I am having difficulty setting up the reverse proxy - either it doesn’t work (404) or the browser gets stuck in a redirection loop.

mod_proxy and mod_rewrite are both enabled, and based on the redirection loop experience - I know the config file is getting read, but I’m missing something here.

Following the 1.6 documentation, the proxy config reads:

<Location /prod_east>
        Options +FollowSymLinks
        RewriteEngine On
        RewriteRule ^/./prod_east/(.*) http://site-east.domain.com/prod_east/$1 [P]
</Location>

and I get 404 errors when browsing to /prod_east/, or when trying to load the graph.

Following the 1.6 documentation (as well as another forum post (can’t link, I’m too new to post more than 2 links)), my proxy configuration is:

<Location /prod_east>
        Options +FollowSymLinks
        RewriteEngine On
        RewriteRule ^/.+/prod_east/(.*) http://site-east.domain.com/prod_east/$1 [P]
</Location>

and Chrome generates an error of ERR_TOO_MANY_REDIRECTS

Thanks again for your help,

Tim

4

If you get too many redirects it looks more like your Apache is also serving the domain “site-east.domain.com
What i test in such a setup is the following.

Only if this works i continue with the config of the slave connection inside WATO.
There are many possible approaches for the configuration of your Apache.

Most examples i find are like the ones you posted.

<Location /remotesite>
  Options +FollowSymLinks
  RewriteEngine On
  RewriteRule ^/.+/remotesite/(.*) http://remoteip/remotesite/$1 [P]
  RewriteRule ^/.+/remotesite http://remoteip/remotesite [P]
</Location>

or

ProxyPass "/foo" "http://foo.example.com/bar"
ProxyPassReverse "/foo" "http://foo.example.com/bar"

This should also work if i remember correctly.
If you follow the Apache documentation, the ProxyPass is the better and preferred way :wink:

5

Hmm, interesting. I don’t think it is serving for site-east.domain.com. Specifying the IP in the rewrite rules yields the same redirection error.

Regarding your setup steps… I’m certainly hung up at the 2nd bullet point. I am not able to load remote_site from master.

I had been familiar with using ProxyPass in other applications, but was trying to be as close to the documentation.

Thanks for validating that I’m not doing something obviously incorrect. I’ll keep exploring…

6

Got this figured out this morning. The root issue is that HTTPS redirect was enabled at the east site. By disabling this redirection, ProxyPass started working.

The follow-on change was using ProxyPass over HTTPS, which was achieved with the following configuration:

user@master:/etc/apache2/conf-enabled# cat multisite_proxy.conf
SSLProxyEngine on
SSLProxyVerify off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

<Location /prod_east>
        ProxyPass https://east.domain.com/prod_east
        ProxyPassReverse https://east.domain.com/prod_east
</Location>
7

Ok HTTPS is complete different problem for proxy connections :smiley:
As this was not in the first question/error i only wrote the HTTP solution.
Nice that it is working now.

8

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.