Run Nagios XI on non-standard ports

Is your Nagios renewal coming up or do you need Nagios support? Let us quote and we will guarantee to beat your normal price.

One of the more common tasks performed by System Monitoring/OSS administrators is to configure the OSS to run on non-standard ports. Usually there is a security requirement or a need to run on different ports to allow Port Address Translation (PAT).

Out of the box (OOTB) Nagios XI runs on standard HTTP port 80 and if HTTPS is then configured it will also use port 443.

For the purposes of this blog, the example Nagios XI system has been configured to use HTTPS port 443 and any HTTP requests are redirected to port 443 but will be reconfigured to use port 6080 and 10443 to allow external access via PAT.

This blog will split the configuration into two parts the first part will configure the alternative HTTP port and the second part will configure the HTTPS port. In reality they could both be configured the same time but for clarity they are configured seperately in this blog.

Backup the Configuration Files

First of all back up the configuration files, a mundane but important task as even the most weathered veteran can encounter a bit of finger trouble.

The following files should be backed up:

  • /etc/httpd/conf/httpd.conf
  • /usr/local/nagiosxi/html/config.inc.php

Configure alternative HTTP port

Edit “/etc/httpd/conf/httpd.conf” and set Listen from 80 to 6080.

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 6080

#

In “/usr/local/nagiosxi/html/config.inc.php” set $cfg[‘port_number’] = false; to $cfg[‘port_number’] = 6080;

// Allow for different http port for subsystem calls
$cfg['port_number'] = 6080;

 

Remember to open firewall ports on the server to allow port 6080 to be accessed. To allow connections to 6080 use the following command:

firewall-cmd –zone=public –add-port=6080/tcp
firewall-cmd –zone=public –add-port=6080/tcp –permanent

Restart Apache with the following command on (RHEL 7):

service httpd restart

Verify that the httpd (Apache process) is listening in port 6080:

netstat -nap | grep 6080
tcp6       0      0 :::6080                 :::*                    LISTEN      17630/httpd

The NagiosXI browser should now be acessible via:

http://yournagiosserver:6080/nagiosxi

On entering 6080 my browser is redirected to:

https://yournagiosserver/nagiosxi

The redirect rule is configured in /etc/httpd/conf/httpd.conf.

Configure alternative HTTPS port

With NagiosXI now running on HTTP port 6080 and redirecting successfully to HTTPS (port 443), now is the time to alter the HTTPS port.

First of all backup the following files:

  • /etc/httpd/conf.d/ssl.conf
  • /usr/local/nagiosxi/html/config.inc.php
  • /etc/httpd/conf/httpd.conf

Edit “/etc/httpd/conf.d/ssl.conf”  and set the “Listen 443 https” to “Listen 10443 https”.

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 10443 https

In “/usr/local/nagiosxi/html/config.inc.php” set $cfg[‘port_number’] = false; to $cfg[‘port_number’] = 10443;

// Allow for different http port for subsystem calls
$cfg['port_number'] = 10443;

Edit “/etc/httpd/conf/httpd.conf” and set the rewrite rule to use port 10443.

RewriteEngine On RewriteCond %{HTTPS} off

RewriteRule (.*) https://yournagiosserver:10443%{REQUEST_URI}

Remember to open firewall ports on the server to allow port 10443 to be accessed. To allow connections to 10443 use the following command:

firewall-cmd –zone=public –add-port=10443/tcp
firewall-cmd –zone=public –add-port=10443/tcp –permanent

Restart Apache with the following command on (RHEL 7):

service httpd restart

Verify that the httpd (Apache process) is listening in port 10443:

netstat -nap | grep 10443
tcp6       0      0 :::10443                :::*                    LISTEN      10827/httpd

The NagiosXI browser should now be acessible via:

http://yournagiosserver:6080/nagiosxi

On entering 6080 my browser is redirected to:

https://yournagiosserver:10443/nagiosxi

Conclusion

This ends what is a brief but hopefully useful blog which provides a working method to configure a NagiosXI server to use alternative ports. If you have any questions about this blog or anything else NagiosXI related please send me an email at: neil.richards@orb-data.com

Visits: 1383