Closed pmoinier closed 3 years ago
0bi-w6n-K3nobi
commented
3 years ago Hi @pmoinier
What Server/Service did you using for provide HTTPS?
If you is using NGinX than look at #2093 and see if you understanding something.
In principal, do you need acess GoAccess' WS through you HTTPs Server/Service. I.E. proxing WS across HTTPs Server.
I am available to help you with something else.
allinurl
commented
3 years ago Adding to @0bi-w6n-K3nobi, also please make sure to use --ssl-key=<key> and --ssl-cert=<cert> to view the report over https.
pmoinier
commented
3 years ago Thanks for answering! I guess the good point is that it is feasible, but unfortunately, I can't say that I understand what to do from #2093. My set up is the following: I use Ubuntu and NGinX. I have a load balancer which redirect the requests to 2 webservers. My site is also secured using https. I have domain name which I use to access the website. Now, the IP address is static, as long as it is not renewed, which happened every so often... particularly when my kids unplug the router!!! ;-)
Question 1: where should I have report,html? On the load balancer or on the webversers?
Question 2: I understand that I need to update my NGinX config file (/etc/nginx/sites-enabled/
Thanks for your help!
MaximilianEmel
commented
3 years ago Thanks for answering! I guess the good point is that it is feasible, but unfortunately, I can't say that I understand what to do from #2093. My set up is the following: I use Ubuntu and NGinX. I have a load balancer which redirect the requests to 2 webservers. My site is also secured using https. I have domain name which I use to access the website. Now, the IP address is static, as long as it is not renewed, which happened every so often... particularly when my kids unplug the router!!! ;-)
Question 1: where should I have report,html? On the load balancer or on the webversers? Question 2: I understand that I need to update my NGinX config file (/etc/nginx/sites-enabled/), but I do not understand what to add to it. Question 3: @allinurl says to use --ssl-key= and --ssl-cert=. Ok, but where do I find and ? Question 4: can you please tell me what parameters to use behind goaccess? goaccess /var/log/nginx/access.log -o /var/www/html/report.html --log-format=COMBINED --real-time-html (what else?)
Thanks for your help!
The first step would be to specify to the generated html where the websocket will truly be served:
$ goaccess (OTHER OPTIONS) --ws-url="wss://HOSTNAME:443/ws"
This url can of course be different, just make sure it is congruent between nginx and goaccess. (although keeping within the same domain as the html is probably better, and using a different one might cause CORS issues)
Next we need to actually add the proxy to your existing server{} entry in nginx:
(nginx.conf)
server {
(OTHER STUFF)
location /ws {
#proxy to localhost's port 7890, where goaccess is serving ws
proxy_pass http://127.0.0.1:7890;
#general proxy options (probably not all needed)
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#enable ws upgrade
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}(make sure goaccess' ws is at the port used)
Lastly, make sure to block the port (7890 in this case) on your firewall, or all this security will be for nothing.
Alternately, you can tell goaccess to only bind to localhost by appending the following command line option: --addr=127.0.0.1.
I also recommend at a minimum using 'basic authentication' for a page like this, if you're not already.
MaximilianEmel
commented
3 years ago Adding to @0bi-w6n-K3nobi, also please make sure to use
--ssl-key=<key>and--ssl-cert=<cert>to view the report over https.
If using a (nginx) proxy, this is unneeded and could cause issues.
0bi-w6n-K3nobi
commented
3 years ago Hi @pmoinier.
@NaxNir is right about setup under NGinX. That is more/less what I describe in issue #2093.
About yours question:
1) Whatever. If you put report.html in webserver than you will need proxing to NGinX.
If put into NGinX just need build rule [location statement] for access it.
I prefer the second one because HTTPS certificate is built-in there. [See detail below]
2) Read more careful at issue #2093, at tail, and then you will know where put setup conf.
3) For acessing report.html under HTTPS did you need too access WebSocket [WS] under SSL -- i.e. WSS.
And so you will need SSL key and certificate.
Proxing accross NGinX or WebServer [with HTTPS] did you no need worry about it.
Otherwise you will need use same of you site, probably same that use into NGinX site setup.
4) More/less at @NaxNir said... and did you need add --addr option.
If you will run GoAcess in same server of NGinX, than use --addr 127.0.0.1 and NaxNir's CONF is OK.
Otherwise NGinX's CONF should need change for correct address. i.e. proxy_pass http://GOACESS-IP-HERE/ws.
Remember at last of blocking port 7890 [at Firewall] for all and liberate only for NGinX's IP for security reasons.
Note: At issue #2093 I did use /wss/ and so must be location /wss/ at CONF.
If you use goaccess (OTHER OPTIONS) --ws-url="wss://HOSTNAME:443/some-thing/" use location/some-thing/.
Otherwise ../outher-thing" than use location/outher-thing. Pay attention at slash ending.
Now, I have 1 question for you:
1) How will you process LOG of the 2 WebServers simultaneously?
Otherwise... Did you will need running 2 instances of GoAccess one each WebServer and will need monitor 2 instances of report.html.
I hope it has helped so until here.
allinurl
commented
3 years ago Closing this. Feel free to reopen it if needed.
I am trying to insert the content of report.html within my website which is secured and uses https, but to render the content of report.html, I must connect to the insecure webSocket endpoint and as a consequence, the request is blocked.
The message says: this endpoint must be available over WSS
Can anyone tell me what to do or is there a solution to this problem?
Regards,