Set up Icinga Web 2 to Apache SSL
Overview
I just set up a new Icinga 2 monitoring environment using zones and all goodies and while it may be a trivial thing to set it up to Apache with mod_ssl it always has the same overhead effort to browse thru. So better write it down for myself and you as a shortcut.
This short guide shows how to make Icinga Web 2 work with Apache using SSL encryption and redirecting users from http to https. I am using CentOS 7 but this should go straight to Red Hat 7 and with a little effort to other distros too.
Install mod_ssl and disable packaed configuration
Install mod_ssl and openssl.
yum install mod_ssl openssl
Remove the ssl.conf as we will set it all up to icingaweb conf file. Better keep custom stuff in one place.
rm /etc/httpd/conf.d/ssl.conf
Set up certificates
Set up certificates to their respective locations under /etc/pki.
Create icingaweb2-ssl.conf
Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost *:80> ServerName icinga.mydomain.com Redirect permanent / https://icinga.mydomain.com/ </VirtualHost> <VirtualHost _default_:443> ServerName icinga.mydomain.com DocumentRoot "/var/www/html" Alias /icingaweb2 "/usr/share/icingaweb2/public" ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/pki/tls/certs/yourcert.crt SSLCertificateKeyFile /etc/pki/tls/private/yourkey.key SSLCACertificateFile /etc/pki/tls/certs/yourca.crt <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <IfVersion < 2.4> # Forward PHP requests to FPM SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 <LocationMatch "^/icingaweb2/(.*\.php)$"> ProxyPassMatch "fcgi://127.0.0.1:9000/usr/share/icingaweb2/public/$1" </LocationMatch> </IfVersion> <Directory "/usr/share/icingaweb2/public"> Options SymLinksIfOwnerMatch AllowOverride None DirectoryIndex index.php <IfModule mod_authz_core.c> # Apache 2.4 <RequireAll> Require all granted </RequireAll> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order allow,deny Allow from all </IfModule> SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2" EnableSendfile Off <IfModule mod_rewrite.c> RewriteEngine on RewriteBase /icingaweb2/ RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L] </IfModule> <IfModule !mod_rewrite.c> DirectoryIndex error_norewrite.html ErrorDocument 404 /icingaweb2/error_norewrite.html </IfModule> <IfVersion >= 2.4> # Forward PHP requests to FPM SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000" ErrorDocument 503 /icingaweb2/error_unavailable.html </FilesMatch> </IfVersion> </Directory> </VirtualHost>
Check and test
Check config, restart Apache and test with your browser https://icinga.yourcomain.com/icingaweb2
apachectl configtest apachectl restart
Comments
All comments and corrections are welcome.