Problems with distributed WATO and PNP4Nagios

distributed
wato
pnp4nagios

(Leon) #1

Hello guys,

I have the following problem:
I am using the RAW-Edition, version 1.5.0p6 and want to include a customer slave. With the following settings I get at least the data. What I miss now is the possibility to display the graphs and the functionality of Distributed WATO.

The slave of the customer is of course behind the firewall of the customer network, which does a port forwarding (6557) to the slave, so that the master can communicate with the slave. What do I have to do to make Distributed WATO and Pnp4Nagios work?

When I tried check_mk with a satellite in my local network, everything worked fine with pnp4nagios and distributed WATO, I could simply copy and use the URL schema from the documentation. But now I have to consider the customer’s firewall in my plan and here I don’t know how to proceed most secure and useful.

Maybe the screenshots will help you.

Thank you,
Leon

Screenshots


(Philipp Näther) #2

For pnp4nagios the customer firewall has to forward requests to the slave over port 80, because 1) the user browser fetches the graphs directly over http or 2) the apache server of the master site proxies the requests to the slave site over http. The configuration of both ways can be found in the docs https://mathias-kettner.com/cms_distributed_monitoring.html#pnp4nagios.

For “make Distributed WATO work” I do not exactly get what you mean.


(Leon) #3

Okay, i added a port forwarding rule for port 80.
My master may now access port 80 of the slave via port 7556 (security reasons).
Since the users are not allowed to access the firewall port 7556 (and so slave port 80) with their browser, I have to create a proxy rule on the master.

According to the documentation I created a config file under /etc/apache2/conf.d/multisite_proxy.conf.

<Location /fchdh>
    Options +FollowSymLinks
    RewriteEngine On
    RewriteRule ^/.+/fchdh/(.*) http://x.x.x.x:7556/fchdh/$1 [P]
</Location>
<Location /sig>
    Options +FollowSymLinks
    RewriteEngine On
    RewriteRule ^/.+/sig/(.*) http://x.x.x.x/sig/$1 [P]
</Location>

Now I get this errors …

Screenshots

20181024_Check_MK%20Local%20site%20master%20-%20update_failed

20181024_Check_MK%20Local%20site%20master%20-%20404%20Not%20Found

The IP shown in the last error (404) ist the IP from our Master.


(Philipp Näther) #4

You can test the proxy rewrite rule with a browser “outside” the check_mk web interface by accessing http://master/fchdh. It should forward you to the slave ip. If this is not happening, your rewrite rule does not apply correctly.
Did you restart apache?


(Leon) #5

I have edited this post so that at first sight it is clear to everyone how I solved my problem.

First, if your Satellite is behind a firewall of the customer network and not reachable for the internet, you have to create a port forwarding rule, port 80 and 6557, so the master can connect with the slave.

  • Port 6557 is needed to get the monitoring data.
  • Port 80 ist needed, if the master should display pnp4nagios graphs and to connect with the WATO of the slave instance.

Because of security reasons, only the master should have access to the port forwarding rule on the customers’ firewall. For this you have to create a proxy rule on the master’s Apache-server. This allows us routing PNP4Nagios queries per HTTP or HTTPS to the correct slave server and results in a working graphing when displaying hosts of the slave site.

Create a file multisite_proxy.conf at /etc/apache2/conf-available/ and activate it with # a2enconf multisite_proxy and # service apache2 reload.

<Location /customersite>
    Options +FollowSymLinks
    RewriteEngine On
    RewriteRule ^/.+/customersite/(.*) http://x.x.x.x:7556/customersite/$1 [P]
</Location>

Info: the port 7556 forwards our http request to port 80 of the slave at our costomers network. 7556 is just used for security reasons!

Now just configure your slave in your master WATO at “Distributed Monitoring” and you’re done!

Huge Thanks goes to @TheLucKy :star_struck::ok_hand:t3: