Hi,
I have followed the instructions here https://github.com/sensu/web and have the web UI running on port 80. In version 5 I had the certs defined in backend.yml and was able to access the UI with https on port 3000. Is there additional arguments that can be supplied to version 6 command line "NODE_ENV=production PORT=80 API_URL=https://xvm-7-022.newsbank.com:8080 yarn node scripts serve " to reach the goal of https?
Also, I don’t see a dashboard?
Thanks,
Patricia
It doesn’t look like they currently have https as a possibility. Take a look at the file scripts/serve.js, it is using the http module.
I googled “node.js https” and found they have a https module that can be used instead, and was able to modify the serve.js. I’m new to js apps though, so I can’t say if that was the best way to solve the problem, but it worked.
https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
Also in regards to the “dashboard”, maybe this post will answer your question:
https://discourse.sensu.io/t/sensu-go-oss-dashboard/1847/7
Just to say, I personally wouldn’t run the application directly on port 80 or 443 for anything other than to test it out, and absolutely not on the Internet. Instead, I’d put an nginx server “in front” of it and proxy requests to it. That rather simplifies the problem in so much as you can put your TLS certificate into Nginx and side-step any issues or the need to change anything in node.js.
For those of us running this on an Internet-connected server, using Nginx also means you can use something like fail2ban to keep the bots off your server. It makes things like LetsEncrypt easier too, if you’re using one of their certificates.
Yeah good point. I ended up using apache proxy and also https in node.js. CentOS doesn’t allow non-root processes to open 443 anyways (by default).
To easily secure the web UI you can put a proxy in front of it, such as Nginx, and terminate SSL on that.
One thing to note is that if your backend API is SSL’d, I couldn’t get it to work without disabling SSL certificate verification by modifying serve.js like so:
--- serve.js.orig 2020-09-10 17:28:51.141567866 -0400
+++ serve.js 2020-09-11 14:38:13.571734407 -0400
@@ -23,6 +23,7 @@
app.use(
proxy(proxyPaths, {
target: apiUrl,
+ secure: false,
logLevel: process.env.NODE_ENV === "development" ? "silent" : "info",
}),
);
There is a possibility to keep your backend configured with SSL.
I edited scripts/server.js file.
Add following line at vars section.
var fs = require('fs');
And if you have your own CA(or any other CA may be required), add also this line into app.use:
ca: fs.readFileSync('/etc/ca-certificates/my-CA.cacert.pem')
Even system register our CA, the Web UI will not.
This solution is combination of what I read at stackoweflow.
Also one little note.
We also put nginx in front of Web UI. However direct links to entities not work on nginx 1.16.1 version!
Link for your desired entity will fail to forward to Web UI.
https://sensu-web-ui:3000/n/default/entities/my-entity
However link with slash at the end will be successful!
https://sensu-web-ui:3000/n/default/entities/my-entity/
nginx version 1.16.1 that contains this bug is currently available in epel repo for RHEL 7.
We did make it work with rewrite module. Add it into location section.
rewrite /entities/(.*)$ /$1/ break;
Now it works as expected.
I am convinced it is a bug, because on my local machine with new nginx 1.18.0-2, the mentioned bug did not occur.
We also tried apache httpd-2.4.6-93 version(again RHEL 7 available version), but it was not successful. So we switched to nginx.