Welcome to Centmin Mod Community
Become a Member

Nginx Install Netdata (system monitor) on Centmin Mod with a domain

Discussion in 'Centmin Mod User Tutorials & Guides' started by EckyBrazzz, May 16, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    First a little intro about netdata, I can write it here but for the today was my day off so have a look at the GitHub here at netdata/netdata for a nice introduction of netdata.

    To set it up is quite easy. This complete setup with the domain took only 15 minutes to complete, but is far from exement.
    Code (Text):
    bash <(curl -Ss https://my-netdata.io/kickstart.sh)

    to install the default installer, just hit Y to download missing YUM packages
    and keep pressing enter to confirm your freshly install.

    --- Check KSM (kernel memory deduper) ---

    Memory de-duplication instructions

    If have kernel has memory de-duper (called Kernel Same-page Merging,
    or KSM) available, but it is not currently enabled.

    To enable it run:
    Code (Text):
    echo 1 >/sys/kernel/mm/ksm/run
        echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
    

    This did not work, due to permission issue so
    Code (Text):
    echo 1 >/sys/kernel/mm/ksm/run
        cd /sys/kernel/mm/ksm/
        nano sleep_millisecs
        and change the default 20 to 1000
    

    If you enable it, you will save 40-60% of netdata memory.

    --- Check version.txt ---
    --- Check apps.plugin ---
    --- Copy uninstaller ---
    --- Basic netdata instructions ---

    netdata by default listens on all IPs on port 19999, so you can access it with:
    Code (Text):
    http://yourserverip:19999/

    To stop netdata run:
    Code (Text):
    systemctl stop netdata

    To start netdata run:
    Code (Text):
    systemctl start netdata

    Uninstall script copied to: /usr/libexec/netdata-uninstaller.sh
    --- Installing new netdata-updater in cron ---
    Update script is located at /etc/cron.daily/netdata-updater

    netdata-updater works from cron. It will trigger an email from cron
    only if it fails (it should not print anything when it can update netdata).

    Goto to you DNS manager and add a (sub)domain so we can install it as a normal domain in CMM

    A @ subdomain.foo.bar

    Create your (sub)domain in centmin under option 2. I used the https so the configuration below is based on that.

    At the moment our netdata is unprotected and you can access it on the http://serverip:19999/

    This is far from ideal, so we want to set it up on our domain with a password protection
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_statics user password

    Use nprestart to activate the new password.

    Well password protection is not working at the moment. Work in progress. It worked once and afterward gave me an error, so I disabled it.

    To get the it working on a domain we edit the vhost and change it to the following.
    This is at least a little bit more secure as the port 1999 is hidden for port scanners
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
        # the netdata server
        server 127.0.0.1:19999;
        keepalive 64;
    }
    
    server {
        # nginx listens to this
        listen 443 ssl http2;
    
        # the virtual host name of this
        server_name $vhost;
    
        include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
    
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
            include /usr/local/nginx/conf/503include-only.conf;
            #limit_req zone=xwplogin burst=1 nodelay;
            #auth_basic "Private";
            #auth_basic_user_file /home/nginx/$vhost/htpasswd_statics;
            #include /usr/local/nginx/conf/php-wpsc.conf;
        }
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    #  location / {
    #  include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    TODO LIST

    • Enable Password Protection
    • Layout of this post
    • Add on
    • Endless --> New ideas please!
    This is a quickly, dirty setup to get netdata working.

    As I pretend to actualize this post frequently, any feedback, suggestions, new add-ons are welcome. It will help other users so please don't hesitate and POST.

    I will keep this post up to date with any feedback given on post below this one. So always refer back to this first post to get it with the latest updates on fresh installs.
     
    Last edited: May 16, 2019
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks for sharing :)
    you need to change the file name to be unique so htpasswd_wplogin has to be unique for each http password on server, if you use same one used for wordpress protection, you will overwrite the passwords in wordpress http password protection
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    So using
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_statics user password
    

    Will resolve the issue ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes and make sure to reference htpasswd_statics path in your location context match which you are protecting

    Code (Text):
        auth_basic      "Private Access";
        auth_basic_user_file /home/nginx/domains/$vhost/htpasswd_statics;
    
     
    • Like Like x 1
  5. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Update the post but aint working.

    netdata1.png netdata.png

    Maybe because I placed it in the wrong location
    Code (Text):
    location / {
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://backend;
           proxy_http_version 1.1;
           proxy_pass_request_headers on;
           proxy_set_header Connection "keep-alive";
           proxy_store off;
           include /usr/local/nginx/conf/503include-only.conf;
           #limit_req zone=xwplogin burst=1 nodelay;
           auth_basic "Private Access";
           auth_basic_user_file /home/nginx/$vhost/htpasswd_statics;
           #include /usr/local/nginx/conf/php-wpsc.conf;
       }
    
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    might want to place the location / context after the commented out existing location / context also make sure you're entering password and not the hash generated from htpasswd.sh
     
  7. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Placed this in top of the location. Notice I changed it to netdata. That fixed the first attempt to login without the 403 forbidden error. And yes, the $vhost is changed to the real domain.
    Code (Text):
    location / {
          #limit_req zone=xwplogin burst=1 nodelay;
          auth_basic "Private Access";
          auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
          #include /usr/local/nginx/conf/php-wpsc.conf;
    

    Deleted the old hash and created a new one
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_netdata N4t7XXXXXXXXXXXXXXeU0S19 0W1sfXXXXXXXXXXXXDVcw
    

    Of course loged in with the user password as above in the code. hé not using the hash of course. :mad:

    The first time it asked for the login and pass was when the netdata page was open. Enterd the credentials and all went fine. But I wanted to bookmark it for easy access so using https://N4t7XXXXXXXXXXXXXXeU0S19:[email protected] as a bookmark

    After that the 403 forbidden error appeared, and even with the changes in the above posts the error remains.
     
  8. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Just noticed that I was not running the latest update and that I'm unable to edit my first post... To bad.
    I love to use nightly builds for testing and getting the latest new stuff, but be aware it has a risk.

    netadata_6.png

    So ran the updater with the
    Code (Text):
    bash <(curl -Ss https://my-netdata.io/kickstart.sh) --auto-update

    This will create a daily cronjob to keep the install up to date.
     
    • Informative Informative x 2
  9. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Well, followed some instructions that I found on GitHub to place it in the server part, but that also does not work, it gives the directive error.

    I remember I had this before and @eva2000 told me to use a conf file of nginx, but guess what happened, my memory can't recall that file.

    So, still struggling to set up the htpasswd on sub.domain.com that is installed as a normal domain with option . Getting error 403, that means that nginx understood it, but can't handle the instruction.

    For security reason I edit the vhost file and enable the password and when I want to see it myself I disable it, but it's not a real world situation, just a quick workaround
     
  10. skringjer

    skringjer Member

    58
    6
    8
    Apr 21, 2019
    Ratings:
    +8
    Local Time:
    4:19 PM
    I really am looking for a Server monitoring app because i have multiple servers that i need to monitor like all day, @eva2000 what do you suggest? Which is the most secure and easy to use?
     
  11. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I use Nginx Amplify and Nixstats both much lighter weight than Netdata for server resources i.e. example of monitoring PHP-FPM stats https://community.centminmod.com/th...monitoring-with-nixstats-nginx-amplify.14024/

    strange, try changing the username/password and see if it will initially work again ? tried shorter username/passwords ?
     
    • Friendly Friendly x 1
  12. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Did that already, deleted the old hash, and used a username/password that was generated with option 22 to be sure that it should work. But no go. Opened an issue on GitHub and it's on the roadmap to create a separate login page.

    So, waiting for that. I don't look every 5 minutes to the netdata, so the workaround is oke for me now.
     
    • Informative Informative x 1
  13. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Noticed you saw my post but just to give it another try my current vhost. Maybe you discover something strange.
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
        # the netdata server
        server 127.0.0.1:19999;
        keepalive 64;
    }
    
    server {
        # nginx listens to this
        listen 443 ssl http2;
    
        # the virtual host name of this
        server_name $vhost;
    
        include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
        #limit_req zone=xwplogin burst=1 nodelay;
        #auth_basic "Private Access";
        #auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
    
      
    
    
        location / {
            #limit_req zone=xwplogin burst=1 nodelay;
            auth_basic "Private Access";
            auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
            #include /usr/local/nginx/conf/php-wpsc.conf;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
      
            }
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    #  include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    need to move location / context further below ideally after root directive
    Code (Text):
      root /home/nginx/domains/$vhost/public;


    try
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
       # the netdata server
       server 127.0.0.1:19999;
       keepalive 64;
    }
    
    server {
       # nginx listens to this
       listen 443 ssl http2;
    
       # the virtual host name of this
       server_name $vhost;
    
       include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
       include /usr/local/nginx/conf/ssl_include.conf;
       #limit_req zone=xwplogin burst=1 nodelay;
       #auth_basic "Private Access";
       #auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
       #include /usr/local/nginx/conf/php-wpsc.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
       location / {
           #limit_req zone=xwplogin burst=1 nodelay;
           auth_basic "Private Access";
           auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
           #include /usr/local/nginx/conf/php-wpsc.conf;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://backend;
           proxy_http_version 1.1;
           proxy_pass_request_headers on;
           proxy_set_header Connection "keep-alive";
           proxy_store off;
    
           }
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  15. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    No go, still 403 (private window, else the passwd protetion won't show up for the second time)
     
  16. eva2000

    eva2000 Administrator Staff Member

    40,276
    8,926
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,746
    Local Time:
    9:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    so it shows up the first time ?
     
  17. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    To clarify, when NOT using private windows it gives the 403 directly, so named the second time when using it in a Private Window.

    I remember I had the same kind of issue when regeneration the password, don't remember if I got 401 or 403. But the only way that I could resolve it was to delete the vhost and recreate it.

    Will give that a try (when time allows it)
     
  18. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    EckyBrazzz was thinking.... Let's beat CMM and install it with an option of 22 and delete the database, all wp-content, FTP, etc.

    Result: netadata_8.png


    Great passwd is working, but without javascript :(:(

    Edit: upstream backend not working, can access( yep, with java) on the netdata http://serverip:/19999


    csf did't open that port
    Code (Text):
    # Allow incoming TCP ports
    TCP_IN = "20,21,667,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
    
    # Allow outgoing TCP ports
    TCP_OUT = "2525,465,111,2049,1110,1194,9418,20,21,22,25,53,80,110,113,443,587,993,995,8080"
    
    # Allow incoming UDP ports
    UDP_IN = "67,68,111,2049,1110,33434:33534,20,21,53"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,111,2049,1110,33434:33534,20,21,53,113,123,8080"
    


    Reinventing the wheel made [email protected] :)


    Excluding #include /usr/local/nginx/conf/staticfiles.conf; resolved the 403 error.

    Current vhost.conf
    Code (Text):
    #x# HTTPS-DEFAULT
     {
       # the netdata server
       server 127.0.0.1:19999;
       keepalive 64;
    }
    
     server {
      listen 443 ssl http2;
      server_name s$vhost www.s$vhost;
    
      include /usr/local/nginx/conf/ssl/s$vhost/s$vhost.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/s$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/s$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/s$vhost/log/error.log;
    
      #include /usr/local/nginx/conf/autoprotect/s$vhost/autoprotect-s$vhost.conf;
      root /home/nginx/domains/s$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
    
    location ~* / {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/s$vhost/htpasswd_wplogin;
        #include /usr/local/nginx/conf/php-wpsc.conf;
        include /usr/local/nginx/conf/503include-only.conf;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    
    
        }
    
    
    }
    
     
    Last edited: May 21, 2019
    • Informative Informative x 1
  19. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    Well, taking back the fact that I can connect op port 19999, did some changes in /etc/netdata config and tested with several VPN's

    netadata_9.png

    Code (Text):
    [web]
            # x-frame-options response header =
            allow connections from = localhost mystaticIP
            # allow dashboard from = localhost *
    
     
  20. EckyBrazzz

    EckyBrazzz Active Member

    391
    73
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +143
    Local Time:
    8:19 AM
    1.17.x
    10.3.x
    @eva2000 You marked one of my previous posts as interesting. I guess it's the part about "csf didn't open that port".

    And that part is worrying me also. I did not open port 19999 and still are able to access it.
     
..