Netdata via apache's mod_proxy
Below you can find instructions for configuring an apache server to:
- Proxy a single Netdata via an HTTP and HTTPS virtual host.
- Dynamically proxy any number of Netdata servers.
- Add user authentication.
- Adjust Netdata settings to get optimal results.
#
RequirementsMake sure your apache has mod_proxy
and mod_proxy_http
installed and enabled.
On Debian/Ubuntu systems, install apache, which already includes the two modules, using:
Enable them:
Also, enable the rewrite module:
#
Netdata on an existing virtual hostOn any existing and already working apache virtual host, you can redirect requests for URL /netdata/
to one or more Netdata servers.
#
proxy one Netdata, running on the same server apache runsAdd the following on top of any existing virtual host. It will allow you to access Netdata as http://virtual.host/netdata/
.
#
proxy multiple Netdata running on multiple serversAdd the following on top of any existing virtual host. It will allow you to access multiple Netdata as http://virtual.host/netdata/HOSTNAME/
, where HOSTNAME
is the hostname of any other Netdata server you have (to access the localhost
Netdata, use http://virtual.host/netdata/localhost/
).
IMPORTANT
The above config allows your apache users to connect to port 19999 on any server on your network.
If you want to control the servers your users can connect to, replace the ProxyPassMatch
line with the following. This allows only server1
, server2
, server3
and server4
.
#
Netdata on a dedicated virtual hostYou can proxy Netdata through apache, using a dedicated apache virtual host.
Create a new apache site:
with this content:
Enable the VirtualHost:
#
Netdata proxy in PleskAssuming the main goal is to make Netdata running in HTTPS.
- Make a subdomain for Netdata on which you enable and force HTTPS - You can use a free Let's Encrypt certificate
- Go to "Apache & nginx Settings", and in the following section, add:
- Optional: If your server is remote, then just replace "localhost" with your actual hostname or IP, it just works.
Repeat the operation for as many servers as you need.
#
Enable Basic AuthIf you wish to add an authentication (user/password) to access your Netdata, do these:
Install the package apache2-utils
. On Debian/Ubuntu run sudo apt-get install apache2-utils
.
Then, generate password for user netdata
, using htpasswd -c /etc/apache2/.htpasswd netdata
Apache 2.2 Example:\ Modify the virtual host with these:
Specify Location /
if Netdata is running on dedicated virtual host.
Apache 2.4 (dedicated virtual host) Example:
Note: Changes are applied by reloading or restarting Apache.
#
Configuration of Content Security PolicyIf you want to enable CSP within your Apache, you should consider some special requirements of the headers. Modify your configuration like that:
Note: Changes are applied by reloading or restarting Apache.
mod_evasive
module#
Using Netdata with Apache's The mod_evasive
Apache module helps system administrators protect their web server from brute force and distributed
denial of service attack (DDoS) attacks.
Because Netdata sends a request to the web server for every chart update, it's normal to create 20-30 requests per
second, per client. If you're using mod_evasive
on your Apache web server, this volume of requests will trigger the
module's protection, and your dashboard will become unresponsive. You may even begin to see 403 errors.
To mitigate this issue, you will need to change the value of the DOSPageCount
option in your mod_evasive.conf
file,
which can typically be found at /etc/httpd/conf.d/mod_evasive.conf
or /etc/apache2/mods-enabled/evasive.conf
.
The DOSPageCount
option sets the limit of the number of requests from a single IP address for the same page per page
interval, which is usually 1 second. The default value is 2
requests per second. Clearly, Netdata's typical usage will
exceed that threshold, and mod_evasive
will add your IP address to a blocklist.
Our users have found success by setting DOSPageCount
to 30
. Try this, and raise the value if you continue to see 403
errors while accessing the dashboard.
Restart Apache with sudo systemctl restart apache2
, or the appropriate method to restart services on your system, to
reload its configuration with your new values.
#
Virtual hostTo adjust the DOSPageCount
for a specific virtual host, open your virtual host config, which can be found at
/etc/httpd/conf/sites-available/my-domain.conf
or /etc/apache2/sites-available/my-domain.conf
and add the
following:
See issues #2011 and #7658 for more information.
#
Netdata configurationYou might edit /etc/netdata/netdata.conf
to optimize your setup a bit. For applying these changes you need to restart Netdata.
#
Response compressionIf you plan to use Netdata exclusively via apache, you can gain some performance by preventing double compression of its output (Netdata compresses its response, apache re-compresses it) by editing /etc/netdata/netdata.conf
and setting:
Once you disable compression at Netdata (and restart it), please verify you receive compressed responses from apache (it is important to receive compressed responses - the charts will be more snappy).
#
Limit direct access to NetdataYou would also need to instruct Netdata to listen only on localhost
, 127.0.0.1
or ::1
.
or
or
You can also use a unix domain socket. This will also provide a faster route between apache and Netdata:
Apache 2.4.24+ can not read from /tmp
so create your socket in /var/run/netdata
note: Netdata v1.8+ support unix domain sockets
At the apache side, prepend the 2nd argument to ProxyPass
with unix:/tmp/netdata.sock|
, like this:
If your apache server is not on localhost, you can set:
note: Netdata v1.9+ support allow connections from
allow connections from
accepts Netdata simple patterns to match against the connection IP address.
#
prevent the double access.logapache logs accesses and Netdata logs them too. You can prevent Netdata from generating its access log, by setting this in /etc/netdata/netdata.conf
:
#
Troubleshooting mod_proxyMake sure the requests reach Netdata, by examining /var/log/netdata/access.log
.
- if the requests do not reach Netdata, your apache does not forward them.
- if the requests reach Netdata but the URLs are wrong, you have not re-written them properly.