Dashing - not working with HTTPS

This forum was archived to /woltlab and is now in read-only mode.
  • Hello forum,


    I recently did some apache/ssl configs which basically allowed icingaweb2 to run off / rather than /icingaweb2 and also redirect HTTP to HTTPS. More details here: Redirect for icingaweb2 (https://example/ to https://example/icingaweb2)


    I also decided to pick up Dashing again, but when I try to access it via https://, it gives a ERR_SSL_PROTOCOL_ERROR. I also get the following logs when I start Dashing in the foreground:


    I couldn't find anything new in the ssl_error_log but I did see these logs in ssl_access_log when I refresh the Dashing page:


    Code
    1. x.x.x.x - - [19/Sep/2017:14:38:09 -1000] "GET /js/icinga.min.js HTTP/1.1" 304 -
    2. x.x.x.x - - [19/Sep/2017:14:38:10 -1000] "GET /js/icinga.min.js HTTP/1.1" 304 -
    3. x.x.x.x - - [19/Sep/2017:14:38:09 -1000] "GET /css/icinga.min.css HTTP/1.1" 200 205325
    4. x.x.x.x - - [19/Sep/2017:14:38:10 -1000] "GET /css/icinga.min.css HTTP/1.1" 304 -
    5. x.x.x.x - - [19/Sep/2017:14:38:10 -1000] "GET /layout/menu HTTP/1.1" 200 4848
    6. x.x.x.x - - [19/Sep/2017:14:38:10 -1000] "GET /layout/menu HTTP/1.1" 200 4848

    My API connection configs must be correct because I'm still getting data into the Dashing interface via HTTP. I had to specify "pki_path" as well as "node_name" and copy my SSL certs into the dashing directory as discussed in the docs under the Dashing Configuration section.


    Here's some more information:

    Code
    1. # gem list --local dashing
    2. dashing (1.3.7)
    3. # ruby -v
    4. ruby 2.0.0p648 (2015-12-16) [x86_64-linux]
    5. # cat RELEASE.md
    6. VERSION=1.3.0


    Anyone have any pointers? Basically I'm just trying to get Dashing to work with HTTPS. Would I have to make another vhost? I tried to do it myself following the icingaweb2 apache configs but I doubt it's correct:



    Thanks for any help!

  • Hello,


    Dashing uses its own web server named thin. There is a way to configure thin to listen on SSL as well, but this becomes hard to maintain and when the Icinga Dashing project is switching to an other web server you need to re-configure the (new) web server to listen on SSL.


    I would recommend to let Dashing and thin listen on HTTP only and set up a reverse proxy like NGINX (I guess Apache could do that as well). Now you can set up NGINX with a proper SSL configuration and redirect everything to the thin web server. You could also edit the address on which thin is listening so that Dashing is only available over HTTPS.


    Cheers

  • You need the following config to forward the requests in apache to dashing:


    Code
    1.         ProxyPass / http://127.0.0.1:8005/ retry=5
    2.         ProxyPassReverse / http://127.0.0.1:8005/


    i am not sure if you need some more config for dashing here.

  • You can also use Nginx. I wrote a thing last week about securing Elasticsearch and Kibana this way, this should also work with Dashing.


    https://blog.netways.de/2017/0…with-an-nginx-http-proxy/

  • Thanks for the replies everybody.


    mcktr

    I tried to set up the reverse proxy as birkch and dnsmichi had mentioned as well but was unable to successfully do so (details below). I then tried to edit the address on which Thin is listening to but I'm thinking perhaps I need to create another VirtualHost for port 8005 in my SSL configs for this to work? You and dnsmichi both use Nginx, but I don't think I should run Nginx and Apache concurrently. I think birkch's solution sums up a translation from dnsmichi's from Nginx to Apache anyways.


    birkch

    This solution technically worked, but since I have set up my Icingaweb2 to run under / instead of /icingaweb2, Dashing now runs in place of Icingaweb2 and therefore Icingaweb2 will not work. I tried to change the reverse proxy rule to serve under a different location, like /dashing, but that didn't quite work and I'm not sure if it should work like that.

  • You can do that with Apache 2 as well, but my main task was to solve a problem with Elasticsearch and Nginx lately. The solution with Nginx worked in under 2 hours.


    If you try to change paths, Dashing is cumbersome. You should know that already, afaik you've tried to do so in the past. I wouldn't bother with paths, but let Dashing on a dedicated web VM instead of the one which runs Icinga Web 2.

  • I would also stay away from changing paths.


    I set up multiple DNS aliases for my Icinga Web 2, Grafana and Dashing and my web server is listening on the DNS alias name. For example if I go to icingaweb.domain.local I get Icinga Web 2, if I go to grafana.domain.local I get Grafana, but everything is hosted on the same machine.


    Here is an example of one of my NGINX configuration files (you can achieve the same with Apache)