1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
<!--
title: "Netdata via HAProxy"
custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/Running-behind-haproxy.md"
sidebar_label: "Netdata via HAProxy"
learn_status: "Published"
learn_topic_type: "Tasks"
learn_rel_path: "Configuration/Secure your nodes"
-->
# Netdata via HAProxy
> HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
> and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic websites
> and powers quite a number of the world's most visited ones.
If Netdata is running on a host running HAProxy, rather than connecting to Netdata from a port number, a domain name can
be pointed at HAProxy, and HAProxy can redirect connections to the Netdata port. This can make it possible to connect to
Netdata at `https://example.com` or `https://example.com/netdata/`, which is a much nicer experience then
`http://example.com:19999`.
To proxy requests from [HAProxy](https://github.com/haproxy/haproxy) to Netdata,
the following configuration can be used:
## Default Configuration
For all examples, set the mode to `http`
```conf
defaults
mode http
```
## Simple Configuration
A simple example where the base URL, say `http://example.com`, is used with no subpath:
### Frontend
Create a frontend to receive the request.
```conf
frontend http_frontend
## HTTP ipv4 and ipv6 on all ips ##
bind :::80 v4v6
default_backend netdata_backend
```
### Backend
Create the Netdata backend which will send requests to port `19999`.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Configuration with subpath
An example where the base URL is used with a subpath `/netdata/`:
### Frontend
To use a subpath, create an ACL, which will set a variable based on the subpath.
```conf
frontend http_frontend
## HTTP ipv4 and ipv6 on all ips ##
bind :::80 v4v6
# URL begins with /netdata
acl is_netdata url_beg /netdata
# if trailing slash is missing, redirect to /netdata/
http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
## Backends ##
use_backend netdata_backend if is_netdata
# Other requests go here (optional)
# put netdata_backend here if no others are used
default_backend www_backend
```
### Backend
Same as simple example, except remove `/netdata/` with regex.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-path %[path,regsub(^/netdata/,/)]
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Using TLS communication
TLS can be used by adding port `443` and a cert to the frontend.
This example will only use Netdata if host matches example.com (replace with your domain).
### Frontend
This frontend uses a certificate list.
```conf
frontend https_frontend
## HTTP ##
bind :::80 v4v6
# Redirect all HTTP traffic to HTTPS with 301 redirect
redirect scheme https code 301 if !{ ssl_fc }
## HTTPS ##
# Bind to all v4/v6 addresses, use a list of certs in file
bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
## ACL ##
# Optionally check host for Netdata
acl is_example_host hdr_sub(host) -i example.com
## Backends ##
use_backend netdata_backend if is_example_host
# Other requests go here (optional)
default_backend www_backend
```
In the cert list file place a mapping from a certificate file to the domain used:
`/etc/letsencrypt/certslist.txt`:
```txt
example.com /etc/letsencrypt/live/example.com/example.com.pem
```
The file `/etc/letsencrypt/live/example.com/example.com.pem` should contain the key and
certificate (in that order) concatenated into a `.pem` file.:
```sh
cat /etc/letsencrypt/live/example.com/fullchain.pem \
/etc/letsencrypt/live/example.com/privkey.pem > \
/etc/letsencrypt/live/example.com/example.com.pem
```
### Backend
Same as simple, except set protocol `https`.
```conf
backend netdata_backend
option forwardfor
server netdata_local 127.0.0.1:19999
http-request add-header X-Forwarded-Proto https
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
## Enable authentication
To use basic HTTP Authentication, create an authentication list:
```conf
# HTTP Auth
userlist basic-auth-list
group is-admin
# Plaintext password
user admin password passwordhere groups is-admin
```
You can create a hashed password using the `mkpassword` utility.
```sh
printf "passwordhere" | mkpasswd --stdin --method=sha-256
$5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1
```
Replace `passwordhere` with hash:
```conf
user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
```
Now add at the top of the backend:
```conf
acl devops-auth http_auth_group(basic-auth-list) is-admin
http-request auth realm netdata_local unless devops-auth
```
## Full Example
Full example configuration with HTTP auth over TLS with subpath:
```conf
global
maxconn 20000
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
pidfile /run/haproxy.pid
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
daemon
tune.ssl.default-dh-param 4096 # Max size of DHE key
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https_frontend
## HTTP ##
bind :::80 v4v6
# Redirect all HTTP traffic to HTTPS with 301 redirect
redirect scheme https code 301 if !{ ssl_fc }
## HTTPS ##
# Bind to all v4/v6 addresses, use a list of certs in file
bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
## ACL ##
# Optionally check host for Netdata
acl is_example_host hdr_sub(host) -i example.com
acl is_netdata url_beg /netdata
http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
## Backends ##
use_backend netdata_backend if is_example_host is_netdata
default_backend www_backend
# HTTP Auth
userlist basic-auth-list
group is-admin
# Hashed password
user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
## Default server(s) (optional)##
backend www_backend
mode http
balance roundrobin
timeout connect 5s
timeout server 30s
timeout queue 30s
http-request add-header 'X-Forwarded-Proto: https'
server other_server 111.111.111.111:80 check
backend netdata_backend
acl devops-auth http_auth_group(basic-auth-list) is-admin
http-request auth realm netdata_local unless devops-auth
option forwardfor
server netdata_local 127.0.0.1:19999
http-request set-path %[path,regsub(^/netdata/,/)]
http-request add-header X-Forwarded-Proto https
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
```
|