Setting Netdata server monitoring with password authentication on Apache proxy.

Password protected server monitoring.

Netdata, a beautiful, lightweight, monitoring tool.

What do we want?

The aim of this tutorial is to allow the monitoring of a Linux server through apache not using other ports than 80/443 (443 is used here) in a way that the local 127.0.0.1:19999 will be accessible only from www.example.com/netdata previous authentication.

Netdata installation

The first thing needed is netdata installed on the server.

To do so you can either run: 

# bash <(curl -Ss https://my-netdata.io/kickstart.sh)
and let the automatic installer do the work for you
or you can visit Netdata Github installer page for other instructions and details.

Once you have done you should have an output like this.

Now you should be able to see the netdata page on the http:/IP:19999

If the server is under iptables protection you need to add a rule for INPUT packets: 

#sudo iptables -A INPUT -p tcp --dport 19999 -j ACCEPT
NOTE: you won't need this if you are going to proxy data throug normal 80/443 port. You can skip this or you can use to test the right functioning of netdata.

Apache configuration

We need to create a new Virtual Host which will proxy all the requests coming to a specified external URL through our netdata local page.

We first need to install some modules for Apache: 

#sudo apt install libxml2-dev libapache2-mod-proxy-html

Then we need to activate some mods: 

#sudo a2enmod proxy
#sudo a2enmod proxy_html
#sudo a2enmod proxy_http
#sudo a2enmod xml2enc

If you already have a vhost with your www.example.com and SSL configuration use that (in my case is default-ssl.conf) located in /etc/apache2/sites-available/

You will have something starting similar to this 

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                ServerName bestrockers.ddns.net

                DocumentRoot /var/www

                SSLEngine on

                ....
                ....

Just add at the end these lines right before the end of VirtualHost tag 

            RewriteEngine on
            ProxyRequests Off
            <proxy>
                Order deny,allow
                Allow from all
            </proxy>

            ProxyPass "/netdata/" "http://netdata-ip:19999/" connectiontimeout=5 timeout=30
            ProxyPassReverse "/netdata/" "http://netdata-ip:19999/"

            <location /netdata/>
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/apache2/.htpasswd
                Require valid-user
                Order deny,allow
                Allow from all
            </location>

And create the directory /var/www/netdata (as is your config).

NOTE: if you don't have a vhost configured for SSL/TLS for your domain go here for a quick guide.

Now we are going to create the credentials for accessing the html page

Install apache2-utils if you don't have already and create a netdata user

#sudo apt install apache2-utils
#sudo htpasswd -c /etc/apache2/.htpasswd netdata

You have to insert the password for the user 'netdata' twice.

Finally restart apache2

#sudo systemctl restart apache2

Add a rule to block netdata on port 19999 

#sudo iptables -I INPUT -p tcp --dport 19999 -j DROP

Now you can go to www.example.com/netdata (as your vhost ServerName is) to access your logs under HTTPS and password protection.

**Please feel free to make any comment! If anything is unclear, just write in the comment and I will update the post!Thanks for reading!**