Securing the web interface with HTTPS documentation

The documentation currently suggests adding the line

RequestHeader set X-Forwarded-Proto "https"

to the default VirtualHost for HTTP. Unless I’m missing something big, that is insufficient, and that header needs to be added to all HTTPS requests that are proxied to checkmk, not only HTTP requests that are rewritten. Particularly since I set HSTS headers, there aren’t many of the latter.

I caught that after following the instructions without too much thought until after looking into the failure in WATO Analyze configuration where it warns me about Secure GUI (HTTP).

Interesting if something give a feedback about this. I am trying to get the “WATO Analyze configuration Warns about Secure GUI (HTTP).” OK but no success.
I have all http redirected to https but the warning still showing :frowning:

Hi @Mela,
did you already put the following line into your System httpd.conf File?

RequestHeader set X-Forwarded-Proto "https"

And do note that putting it just anywhere in your httpd.conf file is not sufficient. It needs to apply to the https requests in the portion of apache* being used as a reverse proxy, which generally means it is best off in the config for your https virtual host. Bottom line: the additional header needs to be applied to every request that is passed to Check_MK.

And yes, the instructions at Operating Checkmk with HTTPS are still broken.

*I can’t think of any particular reason you can’t use any reverse proxy in front of Check_MK, though apache is handy given that it’s already installed for Check_MK to use.

Hi Guys

@CFriedrich , yes, I have as describe from Check_MK (Operating Checkmk with HTTPS) implemented.
The actual configuration look like this:

I have had searching and traying diferent methos, and this is why I have 1 Cond and 1 Rule commented, but with booth are the same.

The Server is being redirected to HTTPS without problems, I can’t access the http.
But the Analyze configuration still showing a warning :frowning: .

@JonR , I am a “normal linux user” :slight_smile: , this is why I am not sure what you really mean… As you see, I have put the config inside the “virtualhost” section … should I do this config somewhere alse/ different,…

Very glad on any Help
Best Regards

Alas, you didn’t paste in the line that opens the VirtualHost configuration block and indicates which virtual host it is. In any case, it is probably explicitly tied to port 80 or is the first VirtualHost configuration block reached in your configuration and is therefore the default.

Somewhere in your config files there should be a VirtualHost configuration block controlling what listens on port 443. Try putting a copy of the RequestHeader command there.

That said, Apache config files can be sliced and diced and included and setup many, many different ways, so what I say may not be completely true for your configuration. But what is probably happening, is that the required header is only being added to requests that originally arrive on HTTP and are then rewritten. It is not being added on requests that originally arrive on HTTPS.