Password protect Netdata with NGINX / Permission denied while connecting to upstream error

Netdata is great free tool for generating server statistics. By default it’s open for entire world on port 19999 – http://servername.com:19999. It is not a good idea to leave this open so everyone can your system statistics.

One way to limit access from where it is accessible is by editing netdata.conf and specify IPS in “allow connections from” variable.

[web]
allow connections from = ip's that are allowed to access>

There is no option to password protect it. This can be done with NGINX. You can create reverse proxy, so that nginx will serve content from netdata application. To make netdata accessible on subfolder of your hostname, eg. http://my.hostname.com/netdata, then create nginx configuration like bellow.

First generate password file for nginx:

htpasswd -c /etc/nginx/.htpasswd "username"

Then create or edit existing nginx configuration to something like this:

upstream netdata {
        server 127.0.0.1:19999;
        keepalive 64;
}

server {
     listen 443 ssl http2;
     server_name my.hostname.com;
     location = /netdata {
         return 301 /netdata/;
    }

    location ~ /netdata/(?.*) {

        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_redirect off;
        proxy_set_header Host $host;   

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://netdata/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
   }

    error_log /var/log/nginx/error.log;
    access_log off;
    ....

Also, don’t forget to edit netdata.conf and change some variables. Make netdata accessible only from localhost (nginx):

[web]
bind to = 127.0.0.1
allow connections from = localhost
allow dashboard from = localhost

You should also allow connection to port 19999 only to local traffic (localhost).

Restart nginx and netdata, then try to access like: http(s)://my.hostname.com/netdata.

If you’re getting error like bellow in your nginx error log, than chances are that SELinux is active. Disable selinux or execute this command “setsebool -P httpd_can_network_connect true”.

[crit] 8411#0: *1 connect() to 127.0.0.1:19999 failed (13: Permission denied) while connecting to upstream, client: 8.8.8.8, server: my.hostname.com, request: "GET /netdata/ HTTP/1.1", upstream: "http://127.0.0.1:19999/", host: "my.hostname.com"

 

 

 

NGINX: rewrite non-www to www for multi domain virtual hosts

If you have NGINX virtual host that has a multi different domains pointing to same document root (multi server_name), and you want to automatically redirect non-www to www, than bellow is simple solution. I also wanted to redirect to https with www.

If you don’t need https redirection, than you can simply use variable $scheme instead of “https:”. 

if ( $host !~ ^www\. ) {
            return 302 https://www.$host$request_uri;
}

So virtual host should look something like this:

server {
      listen 1.1.1.1:80;
      server_name domain1.com www.domain1.com domain2.com www.domain2.com;

      if ( $host !~ ^www\. ) {
           return 302 https://www.$host$request_uri;
      }
      return 302 https://$host$request_uri;
}

You should also make this redirect in your https server definition. otherwise request for https://domain1.com won’t redirect to www.

server {
      listen 1.1.1.1:443;
      server_name domain1.com www.domain1.com domain2.com www.domain2.com;
      if ( $host !~ ^www\. ) {
              return 302 https://www.$host$request_uri;
      }

      ssl on;
      ssl_certificate /etc/letsencrypt/live/domains.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/domains.com/privkey.pem;

      .... //other nginx configuration ....
}

cPanel’s Awstats: There are no domains which have awstats stats to display

One client had issue with Awstats statistics. They stoped working. When he tried to add new domain and check Awstats in cPanel, this message was shown:

There are no domains which have awstats stats to display

Awstats were configured correctly, cron was executed. I then discovered that there were no active access log in /usr/local/apache/domlogs/domainname.com. So I tried to tail this log while visit web site, no access log was generating.

A while ago I enabled cPanels option “Piped Log Configuration” which was suggested to enable to speed up cPanel control panel experience. When this was disabled, access log per domain started to working again.

 

Magento: PHP Fatal error – Allowed memory size exhausted when bin/magento module:status

This was strange one. When calling simple magento command with PHP CLI I was getting error that allowed memory size was exhausted.

[root@machine ~]# php bin/magento module:status
[root@machine ~]# PHP Fatal error: Allowed memory size of 2097152 bytes exhausted (tried to allocate 32768 bytes) in /path/to/wwww/magentoshot.com/vendor/symfony/console/Application.php on line 951

I checked php.ini and it was set like this:

memory_limit = 2048M

I checked if there are different values for CLI version. It were the same.

Solution was simple. Change your php.ini value for memory_limit and define it in gigabytes instead in megabytes.

memory_limit = 2G

I restarted Apache and it started to work.

Find common/identical lines within two files without DIFF

Here is really simple trick how to search for strings that are the same within two different files.

For presenting purposes I created two files with some text in it. Some text is the same, some not.

File 1:

> $ cat file1.txt 
test1
test2
test3
test4
test5

File2:

> $ cat file2.txt 
lala1
lala2
test3
test4
lala4
lala6

Here is how to find strings that are the same within both files:

> $ cat file1.txt file2.txt | sort | uniq -c | grep "2 " 
2 test3
2 test4

So, strings test3 and test4 occurring in both files.

Nice way to do HTTP to HTTPS redirection with Apache .htaccess

I had some sites on shared hosting environment for which I had to do http to https redirection with .htaccess file. I did 302 redirection intentionally so that in case of error, browser doesn’t cache redirection. You can aslo make permanent 301 redirect if needed.

This is nice and simple way to do it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]

Moodle – mysql/mariadb Antelope to Barracuda installation warning

I tried to install Moodle 3.5.2 on cPanel server and got this warning in installation process:

“Your database has tables using Antelope as the file format. You are recommended to convert the tables to the Barracuda file format. See the documentation Administration via command line for details of a tool for converting InnoDB tables to Barracuda.”

Because this was production hosting server, I was unable to just globally change mysql settings. To be able to proceed installation, open config.php file of your moodle and change variable dbcollation like this:

dbcollation' => 'utf8_unicode_ci'

Multidomain webroot for Letsencrypt with NGINX

If you have web server on which there is a lot of virtual hosts, you may want to have one webroot directory for Letsencrypt SSL certificates only. So when Letsencrypt will make the requests for SSL registration or renewal, it will look in this directory. In this case I did this on CentOS 7 with NGINX web server.

First, let’s create directory what will be used for letsencrypt purposes. It must be writable by your web server user. You can define different path.

[root@machine ~]# mkdir -p /var/www/le-certs
[root@machine ~]# chown -R wwwuser:wwwgroup /var/www/le-certs

Letsencrypt will need access in “.well-known/acme-challenge”. For NGINX add something like this in your server block for desired virtual host.

location ~ /.well-known/acme-challenge/ {
             root /var/www/le-certs/;
             break;
}

You can also create new file named, for example le-config.conf and add block above in to it. Then you can simply include this line in your virtual hosts. 

server {
             listen :443 ssl http2;
             server_name mywebsite.com www.mywebsite.com;
             root /var/www/mywebsite/;

             include le-config.conf;
              ...
}

 

 

cPanel/CloudLinux – Composer not working with cPanel user

I had a problem when publishing project via composer as cPanel user. When trying to execute composer via cpanel user with ssh access, composer returned nothing. This was on CloudLinux with alt-php (PHP Selector) and cPanel.

In documentation is stated that for composer to work, we need PHP library’s Phar, Iconv, Mbstring. This can be done easily with PHP Selector in your user interface. Documentation also says that we need to have enabled allow_url_fopen which is also specified as possible security issue so it shouldnt be enabled globally. And lastly, if you use suhosin, which you should, you have to whitelist Phar. You should do all of this so that is only affecting php.ini for specific user and not globally. Also, you’ll want to increase memory_limit as composer needs it. In my case, I temporary increase it to 1G. First, enable all necessary php library’s through PHP Selector in you cpanel control panel. Then follow steps bellow.

Login in users CageFS like this:

root@server [~]# cagefsctl -e

Then go to your alt-php configuration directory:

root@cpanel [~]# cd /etc/cl.php.d/alt-php<desired version>/

Inside of this directory you should see file alt_php.ini, open it and add this to end of the file:

;>=== Start of PHP Selector Custom Options ===
memory_limit=1G
suhosin.executor.include.whitelist=phar
;<=== End of PHP Selector Custom Options =====

Save this settings and exit user CageFS. You don’t need to restart apache. Then SSH with your cpanel user and try to run composer.

Composer should now work with your cPanel user:

thisisme@server [/]# composer --version
Composer version 1.6.2 2018-01-05

 

cPanel: Your server does not support the connection encryption type you have specified

If you’re getting message like “Your server does not support the connection encryption type you have specified” when try to set up email in your Outlook, then chances are that your cPanel mail server has disabled some needed encryption types.

By default, cPanel disables all those protocols: SSLv2, SSLv3, TLSv1, TLSv1.1. SSL2 and SSL3 should be disabled at all costs, but you may not get away with TLS 1.1 or even TLS 1 being disabled.

To enable TLS 1 and TLS 1.1 in your Exim, login as admin in your cpanel and then: Home -> Service Configuration -> Exim Configuration Manager. Select second option so you can insert your own directives and add this:

 +no_sslv2 +no_sslv3

© 2018 geegkytuts.net
Hosted by Hosterdam


About author