Join the community today
Become a Member

Install SSL INSTALL NETDATA (SYSTEM MONITOR) ON CMM WITH A DOMAIN

Discussion in 'Add Ons' started by EckyBrazzz, May 16, 2019 at 10:18 AM.

  1. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    First a little intro about netdata, I can write it here but for the today was my day off so have a look at the GitHub here at netdata/netdata for a nice introduction of netdata.

    To set it up is quite easy. This complete setup with the domain took only 15 minutes to complete, but is far from exement.
    Code (Text):
    bash <(curl -Ss https://my-netdata.io/kickstart.sh)

    to install the default installer, just hit Y to download missing YUM packages
    and keep pressing enter to confirm your freshly install.

    --- Check KSM (kernel memory deduper) ---

    Memory de-duplication instructions

    If have kernel has memory de-duper (called Kernel Same-page Merging,
    or KSM) available, but it is not currently enabled.

    To enable it run:
    Code (Text):
    echo 1 >/sys/kernel/mm/ksm/run
        echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs
    

    This did not work, due to permission issue so
    Code (Text):
    echo 1 >/sys/kernel/mm/ksm/run
        cd /sys/kernel/mm/ksm/
        nano sleep_millisecs
        and change the default 20 to 1000
    

    If you enable it, you will save 40-60% of netdata memory.

    --- Check version.txt ---
    --- Check apps.plugin ---
    --- Copy uninstaller ---
    --- Basic netdata instructions ---

    netdata by default listens on all IPs on port 19999, so you can access it with:
    Code (Text):
    http://yourserverip:19999/

    To stop netdata run:
    Code (Text):
    systemctl stop netdata

    To start netdata run:
    Code (Text):
    systemctl start netdata

    Uninstall script copied to: /usr/libexec/netdata-uninstaller.sh
    --- Installing new netdata-updater in cron ---
    Update script is located at /etc/cron.daily/netdata-updater

    netdata-updater works from cron. It will trigger an email from cron
    only if it fails (it should not print anything when it can update netdata).

    Goto to you DNS manager and add a (sub)domain so we can install it as a normal domain in CMM

    A @ subdomain.foo.bar

    Create your (sub)domain in centmin under option 2. I used the https so the configuration below is based on that.

    At the moment our netdata is unprotected and you can access it on the http://serverip:19999/

    This is far from ideal, so we want to set it up on our domain with a password protection
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_statics user password

    Use nprestart to activate the new password.

    Well password protection is not working at the moment. Work in progress. It worked once and afterward gave me an error, so I disabled it.

    To get the it working on a domain we edit the vhost and change it to the following.
    This is at least a little bit more secure as the port 1999 is hidden for port scanners
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
        # the netdata server
        server 127.0.0.1:19999;
        keepalive 64;
    }
    
    server {
        # nginx listens to this
        listen 443 ssl http2;
    
        # the virtual host name of this
        server_name $vhost;
    
        include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
    
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
            include /usr/local/nginx/conf/503include-only.conf;
            #limit_req zone=xwplogin burst=1 nodelay;
            #auth_basic "Private";
            #auth_basic_user_file /home/nginx/$vhost/htpasswd_statics;
            #include /usr/local/nginx/conf/php-wpsc.conf;
        }
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    #  location / {
    #  include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    TODO LIST

    • Enable Password Protection
    • Layout of this post
    • Add on
    • Endless --> New ideas please!
    This is a quickly, dirty setup to get netdata working.

    As I pretend to actualize this post frequently, any feedback, suggestions, new add-ons are welcome. It will help other users so please don't hesitate and POST.

    I will keep this post up to date with any feedback given on post below this one. So always refer back to this first post to get it with the latest updates on fresh installs.
     
    Last edited: May 16, 2019 at 12:34 PM
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks for sharing :)
    you need to change the file name to be unique so htpasswd_wplogin has to be unique for each http password on server, if you use same one used for wordpress protection, you will overwrite the passwords in wordpress http password protection
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    So using
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_statics user password
    

    Will resolve the issue ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes and make sure to reference htpasswd_statics path in your location context match which you are protecting

    Code (Text):
        auth_basic      "Private Access";
        auth_basic_user_file /home/nginx/domains/$vhost/htpasswd_statics;
    
     
    • Like Like x 1
  5. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Update the post but aint working.

    netdata1.png netdata.png

    Maybe because I placed it in the wrong location
    Code (Text):
    location / {
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://backend;
           proxy_http_version 1.1;
           proxy_pass_request_headers on;
           proxy_set_header Connection "keep-alive";
           proxy_store off;
           include /usr/local/nginx/conf/503include-only.conf;
           #limit_req zone=xwplogin burst=1 nodelay;
           auth_basic "Private Access";
           auth_basic_user_file /home/nginx/$vhost/htpasswd_statics;
           #include /usr/local/nginx/conf/php-wpsc.conf;
       }
    
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    might want to place the location / context after the commented out existing location / context also make sure you're entering password and not the hash generated from htpasswd.sh
     
  7. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Placed this in top of the location. Notice I changed it to netdata. That fixed the first attempt to login without the 403 forbidden error. And yes, the $vhost is changed to the real domain.
    Code (Text):
    location / {
          #limit_req zone=xwplogin burst=1 nodelay;
          auth_basic "Private Access";
          auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
          #include /usr/local/nginx/conf/php-wpsc.conf;
    

    Deleted the old hash and created a new one
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhost/htpasswd_netdata N4t7XXXXXXXXXXXXXXeU0S19 0W1sfXXXXXXXXXXXXDVcw
    

    Of course loged in with the user password as above in the code. hé not using the hash of course. :mad:

    The first time it asked for the login and pass was when the netdata page was open. Enterd the credentials and all went fine. But I wanted to bookmark it for easy access so using https://N4t7XXXXXXXXXXXXXXeU0S19:[email protected] as a bookmark

    After that the 403 forbidden error appeared, and even with the changes in the above posts the error remains.
     
  8. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Just noticed that I was not running the latest update and that I'm unable to edit my first post... To bad.
    I love to use nightly builds for testing and getting the latest new stuff, but be aware it has a risk.

    netadata_6.png

    So ran the updater with the
    Code (Text):
    bash <(curl -Ss https://my-netdata.io/kickstart.sh) --auto-update

    This will create a daily cronjob to keep the install up to date.
     
    • Informative Informative x 2
  9. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Well, followed some instructions that I found on GitHub to place it in the server part, but that also does not work, it gives the directive error.

    I remember I had this before and @eva2000 told me to use a conf file of nginx, but guess what happened, my memory can't recall that file.

    So, still struggling to set up the htpasswd on sub.domain.com that is installed as a normal domain with option . Getting error 403, that means that nginx understood it, but can't handle the instruction.

    For security reason I edit the vhost file and enable the password and when I want to see it myself I disable it, but it's not a real world situation, just a quick workaround
     
  10. skringjer

    skringjer Member

    49
    6
    8
    Apr 21, 2019
    Ratings:
    +7
    Local Time:
    9:33 PM
    I really am looking for a Server monitoring app because i have multiple servers that i need to monitor like all day, @eva2000 what do you suggest? Which is the most secure and easy to use?
     
  11. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I use Nginx Amplify and Nixstats both much lighter weight than Netdata for server resources i.e. example of monitoring PHP-FPM stats https://community.centminmod.com/th...monitoring-with-nixstats-nginx-amplify.14024/

    strange, try changing the username/password and see if it will initially work again ? tried shorter username/passwords ?
     
    • Friendly Friendly x 1
  12. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Did that already, deleted the old hash, and used a username/password that was generated with option 22 to be sure that it should work. But no go. Opened an issue on GitHub and it's on the roadmap to create a separate login page.

    So, waiting for that. I don't look every 5 minutes to the netdata, so the workaround is oke for me now.
     
    • Informative Informative x 1
  13. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    Noticed you saw my post but just to give it another try my current vhost. Maybe you discover something strange.
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
        # the netdata server
        server 127.0.0.1:19999;
        keepalive 64;
    }
    
    server {
        # nginx listens to this
        listen 443 ssl http2;
    
        # the virtual host name of this
        server_name $vhost;
    
        include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
        #limit_req zone=xwplogin burst=1 nodelay;
        #auth_basic "Private Access";
        #auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
    
      
    
    
        location / {
            #limit_req zone=xwplogin burst=1 nodelay;
            auth_basic "Private Access";
            auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
            #include /usr/local/nginx/conf/php-wpsc.conf;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
            proxy_set_header Connection "keep-alive";
            proxy_store off;
      
            }
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
    #  include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    need to move location / context further below ideally after root directive
    Code (Text):
      root /home/nginx/domains/$vhost/public;


    try
    Code (Text):
    #x# HTTPS-DEFAULT
     upstream backend {
       # the netdata server
       server 127.0.0.1:19999;
       keepalive 64;
    }
    
    server {
       # nginx listens to this
       listen 443 ssl http2;
    
       # the virtual host name of this
       server_name $vhost;
    
       include /usr/local/nginx/conf/ssl/$vhost/$vhost.crt.key.conf;
       include /usr/local/nginx/conf/ssl_include.conf;
       #limit_req zone=xwplogin burst=1 nodelay;
       #auth_basic "Private Access";
       #auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
       #include /usr/local/nginx/conf/php-wpsc.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhost/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/$vhost/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/$vhost/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/$vhost/autoprotect-$vhost.conf;
      root /home/nginx/domains/$vhost/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
       location / {
           #limit_req zone=xwplogin burst=1 nodelay;
           auth_basic "Private Access";
           auth_basic_user_file /home/nginx/$vhost/htpasswd_netdata;
           #include /usr/local/nginx/conf/php-wpsc.conf;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://backend;
           proxy_http_version 1.1;
           proxy_pass_request_headers on;
           proxy_set_header Connection "keep-alive";
           proxy_store off;
    
           }
    
    #  include /usr/local/nginx/conf/pre-staticfiles-local-$vhost.conf;
    #  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    #  include /usr/local/nginx/conf/staticfiles.conf;
       include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  15. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    No go, still 403 (private window, else the passwd protetion won't show up for the second time)
     
  16. eva2000

    eva2000 Administrator Staff Member

    39,758
    8,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,494
    Local Time:
    2:33 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    so it shows up the first time ?
     
  17. EckyBrazzz

    EckyBrazzz Active Member

    230
    40
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +78
    Local Time:
    1:33 PM
    1.15.x
    10.3.x
    To clarify, when NOT using private windows it gives the 403 directly, so named the second time when using it in a Private Window.

    I remember I had the same kind of issue when regeneration the password, don't remember if I got 401 or 403. But the only way that I could resolve it was to delete the vhost and recreate it.

    Will give that a try (when time allows it)
     
..