search

opserver / Opserver

Stack Exchange's Monitoring System
https://opserver.github.io/Opserver/
MIT License
4.51k stars 828 forks source link

How to enable HAProxy admin access for Opserver so we can use the options such as DRAIN, MAINT ? #318

Open yashvit opened 6 years ago

yashvit commented 6 years ago

Opserver is really the awesome-est monitoring tool I have come across! Been using it to monitor our SQL, Elasticsearch & now HAProxy.

Not able to figure out how to configure Opserver "adminUser" for HAProxy. Would be great to be able to manage frontend and backends.

NickCraver commented 6 years ago

To enable this, you'll need to configure an admin username and password in HAProxy, and then set "adminUser" and "adminPassword" on your config. Any user in the admin group for either HAProxy or globally will then see actions enabled :)

hamedmaleki1366 commented 5 years ago

hi all, i have a user for stats and is working on OPServer for fetching Logs .

but how can i define an adminuser for using in OPServer ?

this is my Config file where i should create adminuser and how can i do it ?

`

---------------------------------------------------------------------

- Global settings

---------------------------------------------------------------------

global log 127.0.0.1 local2 info

chroot      /var/opt/rh/rh-haproxy18/lib/haproxy
pidfile     /var/run/rh-haproxy18-haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon  
# turn on stats unix socket
stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM

---------------------------------------------------------------------

- common defaults that all the 'listen' and 'backend' sections will

- use if not designated in their block

---------------------------------------------------------------------

userlist admins group admin users admin user admin insecure-password admin defaults mode http log global option httplog

option dontlognull

option http-server-close
option forwardfor       except 127.0.0.0/8
option                  redispatch    
retries                 3
timeout http-request    10s
timeout queue           1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout http-keep-alive 10s
timeout check           10s
maxconn                 3000

---------------------------------------------------------------------

- main frontend which proxys to the backends

---------------------------------------------------------------------

frontend main bind *:7081 stats enable

stats auth statuser:statpassword

stats hide-version

stats show-node

stats refresh 60s

stats uri /haproxy?stats      
default_backend             app

---------------------------------------------------------------------

- static backend for serving up images, stylesheets and such

---------------------------------------------------------------------

backend static balance roundrobin server static 127.0.0.1:4331 check

---------------------------------------------------------------------

- round robin balancing between the various backends

---------------------------------------------------------------------

backend app balance roundrobin server app1 95.80.184.86:80 check server app2 95.80.184.92:80 check

`

thank you.

itssimple commented 4 years ago

This is how my backend (with modifications) looks for the stats, with working admin-tools to DRAIN, MAINT and READY backends and servers.

backend app
    ... snip snip ...

    acl AUTH    http_auth(stats_user)
    acl AUTH_ADMIN      http_auth_group(stats_user) admin

    ... snip snip ...

    stats       enable
    stats       hide-version
    stats       refresh 30s
    stats       show-node
    stats       uri     /haproxy?stats
    stats       admin   if AUTH_ADMIN
    stats       http-request    auth unless AUTH

    ... snip snip ...

.. and then the userlist, in my config, this is at the very top of the file.

userlist        stats_user
    group       admin   users   admin
    user        admin   password       <some long password hash>

So, for your config to work, you need the stats admin, preferably with an ACL like I have above. And you can have multiple users in a userlist, so if you want, you can also have one with view access (normal), and then an admin account for access to the admin methods.