URI port number not maintained for internal API calls

[eloyd]

If we use port forwarding to send external traffic through our NAT to our internal Nagios Log Server, we end up with a problem. Here's how:

Outside aims at http://external.dns.name:1234/nagioslogserver.
NAT firewall forwards 1234 to internal.network.address port 80.
NLS interface comes up, you can log in, and all looks good.
But it fails when trying to bring up a dashboard with the following, after a ~30 second timeout:

Code: Select all

Error Could not contact Elasticsearch at http://external.dns.name/nagioslogserver/index.php/api/backend. Please ensure that Elasticsearch is reachable from your system.

Note that the original port used to connect from the outside is dropped. This tells me that the full URI is not being maintained to access internal API calls. Bad programmer!!

Is it possible to get the original port maintained so that port forwarding through firewalls works? Or tell me where we're going wrong if I'm just being stupid?

[rkennedy]

From the NLS machine, what is the output of nslookup external.dns.name? Also, can you post your /etc/hosts file for us to look at?

[eloyd]

/etc/hosts:

Code: Select all

127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

10.2.1.11       nagiosfusion.localdomain
10.2.1.12       nagiosxi.localdomain
10.2.1.13       nagiosls.localdomain
10.2.1.14       nagiosna.localdomain
10.2.1.15       nagiosim.localdomain
10.2.1.16       nagiosreactor.localdomain
10.2.1.17       worker1.localdomain

And yes, the name resolves:

Code: Select all

# host external.dns.name
external.dns.name has address AA.BB.CC.DD

Obviously, I'm obfuscating things here.

[rkennedy]

Because NLS is going to replicate the header address it finds and use that entry for calls, it needs to be able to resolve external.dns.name to 127.0.0.1.

Try modifying /etc/hosts and adding the entry -

Code: Select all

127.0.0.1               localhost.localdomain localhost external.dns.name

It should work after doing so.

[eloyd]

I don't consider that to be a viable solution. external.dns.name needs to resolve to the proper, external address for other purposes. It seems that a better solution would be for NLS to know the URI that was used to access it, and maintain protocol, server, and port information for internal requests to the API. An even better solution, since you're telling me that it just talks to 127.0.0.1 anyway, would be for NLS to use localhost internally and not use any part of the original URI for API requests.

[jomann]

Hey Eric,

There should be a es_server value in this file: /var/www/html/nagioslogserver/application/config/elasticsearch.php
That is what the api/backend uses to access Elasticsearch. Has that file been changed? Is it set to http://127.0.0.1:9200 ? That should be the default.

[eloyd]

Nope:

Code: Select all

$config['es_server'] = 'http://127.0.0.1:9200';
$config['index'] = 'nagioslogserver';

I think things are getting confused because we're accessing it through port forwarding through the NAT firewall. We can get around the limitation ourselves by using VPN connectivity instead, but we want to provide remote access for training purposes and won't be able to rely on VPN connections from our customers.

[jomann]

I don't see how that would matter from the API perspective unless something else was causing an issue. Can you look at your httpd access_log and see what the URL it is trying to access is once you hit the API? When you're calling the api/backend it is doing a curl request to the es_server and just returns the results.

[eloyd]

Having changed the names to protect the innocent (and leaving 192.168.1.1 as our NAT device), here's the entire Apache log after clicking on "My Default Dashboard" after being logged in:

Code: Select all

192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/dashboard HTTP/1.1" 200 8764 "http://external.dns.name:1234/nagioslogserver/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/app/components/language.php?ver=1.4.1 HTTP/1.1" 200 9660 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/font/fontawesome-webfont.woff?v=3.2.1 HTTP/1.1" 200 43572 "http://external.dns.name:1234/nagioslogserver/css/font-awesome.min.css?ver=1.4.1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/media/js/ZeroClipboard.swf?noCache=1466448918421 HTTP/1.1" 200 4036 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "POST /nagioslogserver/api/system/status HTTP/1.1" 200 82 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "POST /nagioslogserver/api/system/status HTTP/1.1" 200 87 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/app/partials/dashLoader.php HTTP/1.1" 200 11825 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/app/partials/dashboard.php HTTP/1.1" 200 5074 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/app/partials/dashLoaderShare.php HTTP/1.1" 200 589 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
192.168.1.1 - - [20/Jun/2016:14:55:19 -0400] "GET /nagioslogserver/app/panels/timepicker/module.php?ver=2015R1.4-3.1.1-nagios3 HTTP/1.1" 200 2390 "http://external.dns.name:1234/nagioslogserver/dashboard" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"

Note, I also changed the actual external port to "1234" to protect our [dubious] innocence.

The error that shows up on the empty dashboard (in red) is:

Code: Select all

Error Could not contact Elasticsearch at http://external.dns.name/nagioslogserver/index.php/api/backend. Please ensure that Elasticsearch is reachable from your system.

[jomann]

Oh! Thanks, that explained it much better... it's that you're having and issue with it trying to load Kibana dashboards because of the Javascript using hostname only...

Editing this file should help: /var/www/html/nagioslogserver/www/config.js

I believe that file is located there in a normal NLS install. It should have a section that looks like:

Code: Select all

elasticsearch: window.location.protocol + "//"+window.location.hostname+"/nagioslogserver/index.php/api/backend",

You'd want to add window.location.port like so:

Code: Select all

elasticsearch: window.location.protocol + "//"+window.location.hostname+":"+window.location.port+"/nagioslogserver/index.php/api/backend",

This should fix your install but we would definitely need to do this the "correct" way as a bug fix in order for this to work on systems without the port specified. You could also try running it directly to localhost or 127.0.0.1 but I think the reason it was set to this was so that it could generate URLs in the modals that would allow someone to copy/paste and run it elsewhere. If you don't care about that, then you can try localhost.