search

allinurl / goaccess

GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
https://goaccess.io
MIT License
18.38k stars 1.11k forks source link

Apache2 Reverse Proxy + GoAccess How To Guide #1789

Open iamdoubz opened 4 years ago

iamdoubz commented 4 years ago

A Meditative Guide

I had quite the journey getting live stats working perfectly and in doing so, learned a lot, but for those who want to plug and play, this will help tremendously.

Requirements

Guide

  1. Create a new A record subdomain let's say goaccess.domain.name and point to your existing server.

  2. This is your Apache2 goaccess.conf file:

    DEFINE serv_name goaccess.domain.name
    DEFINE serv_admn no-reply@domain.name
    DEFINE log_name goaccess
    DEFINE stat_url domain.name
    DEFINE serv_url 127.0.0.1
    DEFINE serv_port 7890
    ServerTokens Prod
    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
    ## If you have Google Pagespeed Mod for apache, disable it, else, comment next line out
    ModPagespeed Off
<VirtualHost *:80 [::]:80>
    ServerName ${serv_name}
    DocumentRoot /var/www/goaccess/public
    ServerAdmin ${serv_admn}
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =${serv_name}
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    ErrorLog ${APACHE_LOG_DIR}/${log_name}.error.log
    CustomLog ${APACHE_LOG_DIR}/${log_name}.access.log combined
</VirtualHost>
<VirtualHost *:443 [::]:443>
    ServerName ${serv_name}
    DocumentRoot /var/www/goaccess/public
    ServerAdmin ${serv_admn}
    ErrorLog ${APACHE_LOG_DIR}/${log_name}.error.log
    CustomLog ${APACHE_LOG_DIR}/${log_name}.access.log combined
### Let's Encrypt Section ###
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/domain.name/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.name/privkey.pem
    Options -Includes -ExecCGI
    #Include /etc/letsencrypt/options-ssl-apache.conf
    ## I am excluding the default Let's Encrypt apache security settings and using the following
    #SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    SSLHonorCipherOrder Off
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Deny http1.0 requests ###
    Protocols h2 http/1.1
### Harden Security ###
    ProxyRequests On
    ProxyPreserveHost On
    ProxyTimeout 600
    ProxyReceiveBufferSize 4096
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ServerSignature Off
    SSLCompression Off
    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    SSLSessionTickets Off
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    #Header always set Content-Security-Policy-Report-Only "default-src 'self' https:; font-src 'self' data: ${stat_url} ${serv_name}; media-src 'self' ${stat_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${stat_url} ${serv_name}; style-src 'self' ${stat_url} ${serv_name}; img-src 'self' data: blob: ${stat_url} ${serv_name}; worker-src *; frame-src https:; connect-src 'self' wss: https: ${stat_url} ${serv_name};"
### GoAccess Specific Section ###
    <Location /ws/>
        ProxyPass ws://${serv_url}:${serv_port}/ws/
    </Location>
    <Location /wss/>
        ProxyPass wss://${serv_url}:${serv_port}/wss/
    </Location>
</VirtualHost>
  1. This is your GoAccess.conf file (located at /usr/local/etc/goaccess/goaccess.conf:
time-format %T %z
date-format %d/%b/%y
log-format COMBINED
color-scheme 3
config-dialog false
hl-header true
html-prefs {"theme":"bright","perPage":5,"layout":"horizontal","showTables":true,"visitors":{"plot":{"chartType":"bar"}}}
html-report-title GoAccess Stats
json-pretty-print true
no-color false
no-column-names false
no-csv-summary false
no-progress false
no-tab-scroll false
with-mouse false
addr 127.0.0.1
origin https://goaccess.domain.name
port 7890
pid-file /var/run/goaccess.pid
real-time-html true
ws-url wss://goaccess.domain.name:443/ws/
agent-list true
with-output-resolver true
http-method yes
http-protocol yes
no-query-string false
no-term-resolver false
444-as-404 false
4xx-to-unique-count false
all-static-files false
double-decode false
ignore-crawlers false
crawlers-only false
real-os true
  1. If you also want to use openssl explicitly, add these two lines that should be the same as the apache2 ssl cert/key above:
ssl-cert /etc/letsencrypt/live/domain.name/fullchain.pem
ssl-key /etc/letsencrypt/live/domain.name/privkey.pem
  1. You will also need to change this line:
ws-url wss://goaccess.domain.name:443/ws/

to

ws-url wss://goaccess.domain.name:443/wss/
  1. And like magic, you get a green dot!

goaccess_woot

Extra

You should probably make its own user instead of what I'm doing which is just running it as root. But, this is my command nonetheless:

goaccess /var/log/apache2/*.access.log -a -o /var/www/goaccess/public/index.html

Not sure if GoAccess is running? Try netstat -peanut | grep goaccess which should then result in:

tcp        0      0 127.0.0.1:7890          0.0.0.0:*               LISTEN      0          14871400   88468/goaccess

Additional

This is hacked together. It can be much better and for production environments, you should keep going and make it perfect (set up systemd [ew] startup stuff, create dedicated user, etc).

HOPE THIS HELPS SOMEBODY.

PS Thanks for a great piece of software.

allinurl commented 4 years ago

This is awesome, thanks for sharing this. I'll keep it open for sometime.