Apache2 headers module blocks Monit GUI.

Discussion in 'Installation/Configuration' started by concept21, Aug 3, 2021.

Tags:
  1. concept21

    concept21 Active Member HowtoForge Supporter

    Hello,
    I find that when I enable Apache2 headers module, Monit GUI inside ISPConfig v3 is blocked.

    Apache2 module headers is required to provide web site cache control. Now, my question is:
    How do I configure module headers to avoid blocking Monit GUI?

    My system is: Ubuntu 20.04.2, ISPConfig v3.2.5. :rolleyes:
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I believe headers is required for ispconfig itself, it should always be on.

    There have been a handful of posts on access to monit in the last year or so which you can search up; I don't remember the specifics, and haven't tried to set it up in a few years personally.
     
    concept21 likes this.
  3. concept21

    concept21 Active Member HowtoForge Supporter


    Okay, Let me search.
     
  4. concept21

    concept21 Active Member HowtoForge Supporter

    I see.
    It is still a security measure of modern browsers to block in-frame credential submission.

    Perhaps, it is a security feature rather than an issue. :oops:
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It seems there may have been a pretty simple configuration to address that. I had a more complex way using a reverse proxy that worked and addressed the security issues, but was probably too complicated for most folks to bother with (and in the end, I never use the monit ui anyways...).
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This I have discussed before and the solution is to set your ip in monitrc where 0.0.0.0 is for all to access. I already give few samples on this in my previous posts. I will provide them later if you cannot find them.
     
  7. concept21

    concept21 Active Member HowtoForge Supporter

    I did it but it does not work in my system. :oops:
     
  8. concept21

    concept21 Active Member HowtoForge Supporter

    Your method is so complicated that I will probably corrupt my system. :D
    The simplest method is to give up in-frame GUI and use full page auth method.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Can you share what you did actually? What I use is below:

     
    Last edited: Aug 4, 2021
  10. concept21

    concept21 Active Member HowtoForge Supporter

    Yes, mine is the same as yours.

    No matter what I did, once I disable apache2 headers module, in-frame Monit GUI will appears! The focus is headers module. :cool:
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Noted. I did nothing to ispconfig.vhost though but mine is running nginx instead of apache2 so I don't have that apache2 header module.
     
  12. concept21

    concept21 Active Member HowtoForge Supporter

    Hey Guys!
    A very simple method suddenly comes up to my mind!
    If we load apache2 headers module globally in apache2 main conf, how do we unload it precisely in https:// ispconfigserver.example.com:8080/ ?

    I know there is a standard method to do this but how?!? :D
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You don't want to eliminate the headers module, or you loose very common, and often required, functionality. You also reduce your security. With the behavior you describe, it's likely one of the security headers which causes the issue with monit, it would be better to just change the offending header so that monit functions. That is the simple solution I mentioned above, though I don't recall which header it was, I'd guess either X-Frame-Options or Content-Security-Policy (adjusting frame-src). You could try removing both those headers, see if monit works, and if so, add back one at a time to see which ones you need to work with. (I think there was a post in the forum here describing it .. in fact, after a quick search, it turns out to be in the same thread where I posted my overly complex setup.)
     
    till likes this.
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You don't want to eliminate the headers module, or you loose very common, and often required, functionality. You also reduce your security. With the behavior you describe, it's likely one of the security headers which causes the issue with monit, it would be better to just change the offending header so that monit functions. That is the simple solution I mentioned above, though I don't recall which header it was, I'd guess either X-Frame-Options or Content-Security-Policy (adjusting frame-src). You could try removing both those headers, see if monit works, and if so, add back one at a time to see which ones you need to work with. (I think there was a post in the forum here describing it .. in fact, after a quick search, it turns out to be in the same thread where I posted my overly complex setup.)
     
  15. concept21

    concept21 Active Member HowtoForge Supporter

    Yes,
    That guy's method is final and simplest. I have improved it as:
    Edit file /etc/apache2/sites-available/ispconfig.vhost so that
    Cheers! ISPConfig Team please append this to your next patch!

    This method loads Monit GUI very fast! :D
     
    Jesse Norell likes this.
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Want to log an issue before it's forgotten? :)

    To clarify, example.com is the domain you are running monit on? I wonder if the port can be specified, and likewise maybe should test using an ip address, but that seems like a good change to include.
     
  17. concept21

    concept21 Active Member HowtoForge Supporter

    To clarify, example.com is the top level domain of ISPConfig server installed on ispconfig.example.com.

    Using example.com seems more logical because an IP address is shared by many sites with their own domain names.

    My proposed codes confine itself to ispconfig.example.com

    Also /etc/apache2/sites-available/ispconfig.vhost is default to port 8080. There is no need to specify one more time. :D
     
  18. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I meant to clarify what example.com and the port/ip use in the csp header @Taleman posted.
     

Share This Page