Install Nagios XI from behind a firewall

[gormank]

I've seen the KBA in the link: https://support.nagios.com/kb/article.php?id=147

I'm testing installation now, but will soon have to build 4 XI boxes behind a firewall.

When using the proxy, wget https://assets.nagios.com/path/file fails so the installation fails. Now I'm testing just a single wget. If https_proxy isn't set, the test never tries to reach the proxy.

[root@sbiotlnxi001 nagiosxi]# export proxy=http://172.20.140.34:3128/; export http_proxy=http://172.20.140.34:3128/; export https_proxy=http://172.20.140.34:3128/;env | grep proxy
http_proxy=http://172.20.140.34:3128/
https_proxy=http://172.20.140.34:3128/
proxy=http://172.20.140.34:3128/

Code: Select all

[root@sbiotlnxi001 nagiosxi]# wget https://assets.nagios.com/downloads/nagiosxi/components/wkhtmltox-0.12.1-centos5-amd64.tar.gz --inet4-only
--2017-02-14 21:20:53--  https://assets.nagios.com/downloads/nagiosxi/components/wkhtmltox-0.12.1-centos5-amd64.tar.gz
Connecting to 172.20.140.34:3128... connected.
Proxy tunneling failed: Service UnavailableUnable to establish SSL connection.
[root@sbiotlnxi001 nagiosxi]#

Proxy message:

Code: Select all

14/Feb/2017:21:21:53  60378 172.20.140.30 TCP_MISS/503 0 CONNECT assets.nagios.com:443 - HIER_NONE/- - "Wget/1.14 (linux-gnu)"

I realize this is outside the scope but thought maybe you'd have some ideas.

Code: Select all

[root@sbiotlpxy001 network-scripts]# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

#acl localnet src 2001:9888::/32
#acl localnet src 2001:9888:ef8:4343::/64
#acl localnet src 2001:9777:db7:4242::/64
#acl localnet src 172.20.140/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

tcp_outgoing_address 172.21.141.34

acl domain_whitelist dstdomain "/etc/squid/whitelist_domain"
#acl ip_whitelist dst "/etc/squid/whitelist_ip"
acl url_whitelist url_regex -i "/etc/squid/whitelist_url"

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow domain_whitelist
#http_access allow ip_whitelist
http_access allow url_whitelist

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
#http_access allow localnet

# allow all for testing only
#http_access allow all

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128

http_port [2001:9888:ef8:4343::34]:3128
http_port 172.20.140.34:3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#See cache.log for debug info
debug_options ALL,1 33,2 28,9

# log format
logformat squid %tg %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt "%{User-Agent}>h"

Code: Select all

[root@sbiotlpxy001 network-scripts]# grep nagios /etc/squid/whitelist_*
/etc/squid/whitelist_domain:#.api.nagios.com
/etc/squid/whitelist_domain:#.assets.nagios.com
/etc/squid/whitelist_domain:#.repo.nagios.com
/etc/squid/whitelist_domain:.nagios.com
/etc/squid/whitelist_url:api.nagios.com/versioncheck

[avandemore]

Yes it is outside the scope but here is some information on that:

https://howmenet.wordpress.com/tag/tcp_miss503/

Alternatively you could do an offline install, instructions here:
http://repo.nagios.com/

Be aware that operates a bit different than a standard install in that future upgrades must be done using the offline upgrade method. That method tends to lag a bit behind the standard way.

[gormank]

Yest, I've tested the offline install on another box in the same environment. It has a few issues, but works once repos are sorted. I'm trying to avoid the offline due to the update issues.
I'll look into the 503 some more.
There really should be a cleaner way than 25 individual wgets...

[rkennedy]

The offline install is really made as the easy way to do this, in my mind. What issue are you having with the offline repo?

[gormank]

Yes, it was easy. We have Satellite, which doesn't have an infinite number of available repos. The offline install lists a number of packages that have to be available. Even though yum list on each showed those available, the install failed on dependencies for those packages. There's a search-disabled-repos.conf setting that tells it to search disabled packages that smoothed the process (search-disabled-repos.conf, notify_only to 0).

This is nothing new. I've been fighting dependency issues and dependencies of dependencies issues, for a few years on an existing install (installed w/ internet access) of Nagios. Its just that I now have a new install, no internet, Satellite, and over IPv6 to deal with.

Speaking of IPv6, for an unknown reason, in my test network, even though I have things setup to reply w/ v4 addresses 1st, wget somehow snags the v6 address for assets.nagios.com first. It then tries to fetch from the v6 address, which since I can't reach the internet on v6 (direct or via proxy), has to time out, which takes minutes for each wget, and there are a lot of wgets. I'd suggest that you add options (--inet4-only for example) through a sourced file (via . in shell scripts). These would be added to each wget in each of the scripts using wget. You can see what I mean by looking at the install scripts under subcomponents or whatever the dir name is in /tmp/nagiosxi.

A better solution would be to gather all the files pulled from the internet into one place and fetch them in one script. While this is less modular, it would be easier in situations like this.

A user could then fetch needed files by whatever means, create the installed.whatever file and install. I do something similar for the repo script that adds nagios and epel repos, which then cause yum to fail miserably in an install via proxy.

[avandemore]

Speaking of IPv6, for an unknown reason, in my test network, even though I have things setup to reply w/ v4 addresses 1st, wget somehow snags the v6 address for assets.nagios.com first. It then tries to fetch from the v6 address, which since I can't reach the internet on v6 (direct or via proxy), has to time out, which takes minutes for each wget, and there are a lot of wgets. I'd suggest that you add options (--inet4-only for example) through a sourced file (via . in shell scripts). These would be added to each wget in each of the scripts using wget. You can see what I mean by looking at the install scripts under subcomponents or whatever the dir name is in /tmp/nagiosxi.

Probably easiest to set inet4_only = yes in ~/.wgetrc

Which version of Satellite? Are you allowed to add repo's to it, or create a local one not under Satellite's control? That's basically what your "better solution" does. Yum will work behind a proxy, you have to configure it though. I believe /etc/yum.conf is still the place where all the magic happens.

[gormank]

The .wgetrc is a good point.
Satellite 6.2.7 and yes, I can add to it once I figure out how...
Yum isn't the issue with the proxy, wget is, and its an issue repeatedly. For me to fix it locally, I'd need to do something like make assets.nagios.com resolve to something in my network, duplicate the dir structure on a web server, and put the files there, which makes little sense.

[root@sbiotlnxi001 nagiosxi]# grep assets install.log | grep tar
--2017-02-14 21:04:03-- https://assets.nagios.com/downloads/nag ... d64.tar.gz
--2017-02-14 21:09:15-- https://assets.nagios.com/downloads/nag ... bit.tar.gz
--2017-02-14 21:16:10-- https://assets.nagios.com/downloads/nrd ... 2.4.tar.gz
--2017-02-14 21:18:19-- https://assets.nagios.com/downloads/nsi ... 1_1.tar.gz
--2017-02-14 21:21:00-- http://assets.nagios.com/downloads/nagi ... x86_64.tar
--2017-02-14 21:23:08-- https://assets.nagios.com/downloads/nag ... x86_64.tar

Interesting that one script uses http when assets.nagios.com seems to prefer https...

[avandemore]

Well wgetrc can also contain proxy vars. You could also look at setting those vars system wide, then any app that respects those would automatically inherit them.

For example something like this:

http://www.thesysadminhimself.com/2013/ ... entos.html

Although I'm not entirely convinced /etc/environment is correct place for that.

[gormank]

Until the proxy is able to pass requests to assets.nagios.com .wgetrc and /etc/environment settings are meaningless. I'm currently setting the variables in bash.
I added the variables to the environment file, commented them in ~/.wgetrc and tested. It didn't hit the proxy.
I have a case open w/ Redhat and they say they've used my config and it works. My latest theory is its related to IPv6 somehow. The internet connection is v4, while internally the systems are supposed to be v6, but the network is a strange combination of v4 and v6.
My next move is to make named return only the v6 address of the proxy and retest.
I spent some time reconfiguring things to use IPv6 only to get the same 503 response as over v4.

[avandemore]

I added the variables to the environment file, commented them in ~/.wgetrc and tested. It didn't hit the proxy.

That is not a sufficient test. /etc/environment is generally only read on login and this may be different on customized systems or otherwise non-standard.

For example on my CentOS 7 putting the vars into /etc/profile gives a more useful result:

Code: Select all

login as: root
[email protected]'s password:
Last login: Thu Feb 16 10:44:21 2017 from avandemore.nagios.local
[root@avandemore-centos7 ~]# set
BASH=/bin/bash
BASHOPTS=checkwinsize:cmdhist:expand_aliases:extquote:force_fignore:histappend:hostcomplete:interactive_comments:login_shell:progcomp:promptvars:sourcepath
BASH_ALIASES=()
BASH_ARGC=()
BASH_ARGV=()
BASH_CMDS=()
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]="4" [1]="2" [2]="46" [3]="1" [4]="release" [5]="x86_64-redhat-linux-gnu")
BASH_VERSION='4.2.46(1)-release'
COLUMNS=237
DIRSTACK=()
EUID=0
GROUPS=()
HISTCONTROL=ignoredups
HISTFILE=/root/.bash_history
HISTFILESIZE=1000
HISTSIZE=1000
HOME=/root
HOSTNAME=avandemore-centos7.nagios.com
HOSTTYPE=x86_64
ID=0
IFS=$' \t\n'
LANG=en_US.UTF-8
LESSOPEN='||/usr/bin/lesspipe.sh %s'
LINES=71
LOGNAME=root
LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:'
MACHTYPE=x86_64-redhat-linux-gnu
MAIL=/var/spool/mail/root
MAILCHECK=60
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
PIPESTATUS=([0]="0")
PPID=2355
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
PS1='[\u@\h \W]\$ '
PS2='> '
PS4='+ '
PWD=/root
SHELL=/bin/bash
SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
SHLVL=1
SSH_CLIENT='192.168.5.16 60403 22'
SSH_CONNECTION='192.168.5.16 60403 192.168.4.174 22'
SSH_TTY=/dev/pts/0
TERM=xterm
UID=0
USER=root
XDG_RUNTIME_DIR=/run/user/0
XDG_SESSION_ID=10
_=PATH
colors=/root/.dircolors
ftp_proxy=ftp://proxysrv:8080/
http_proxy=http://proxysrv:8080/
https_proxy=https://proxysrv:8080/
no_proxy=.mylan.local,.domain1.com,host1,host2
[root@avandemore-centos7 ~]# su - nagios
Last login: Thu Feb 16 10:45:06 CST 2017 on pts/0
[nagios@avandemore-centos7 ~]$ set
BASH=/bin/bash
BASHOPTS=checkwinsize:cmdhist:expand_aliases:extquote:force_fignore:histappend:hostcomplete:interactive_comments:login_shell:progcomp:promptvars:sourcepath
BASH_ALIASES=()
BASH_ARGC=()
BASH_ARGV=()
BASH_CMDS=()
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]="4" [1]="2" [2]="46" [3]="1" [4]="release" [5]="x86_64-redhat-linux-gnu")
BASH_VERSION='4.2.46(1)-release'
COLUMNS=237
DIRSTACK=()
EUID=1001
GROUPS=()
HISTCONTROL=ignoredups
HISTFILE=/home/nagios/.bash_history
HISTFILESIZE=1000
HISTSIZE=1000
HOME=/home/nagios
HOSTNAME=avandemore-centos7.nagios.com
HOSTTYPE=x86_64
ID=1001
IFS=$' \t\n'
LANG=en_US.UTF-8
LESSOPEN='||/usr/bin/lesspipe.sh %s'
LINES=71
LOGNAME=nagios
LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:'
MACHTYPE=x86_64-redhat-linux-gnu
MAIL=/var/spool/mail/nagios
MAILCHECK=60
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/nagios/.local/bin:/home/nagios/bin
PIPESTATUS=([0]="0")
PPID=2800
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
PS1='[\u@\h \W]\$ '
PS2='> '
PS4='+ '
PWD=/home/nagios
SHELL=/bin/bash
SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
SHLVL=1
TERM=xterm
UID=1001
USER=nagios
XDG_SESSION_ID=10
_=PATH
colors=/home/nagios/.dircolors
ftp_proxy=ftp://proxysrv:8080/
http_proxy=http://proxysrv:8080/
https_proxy=https://proxysrv:8080/
no_proxy=.mylan.local,.domain1.com,host1,host2

But as noted originally this is out of scope and it's dependent on your system's config and not every tool is going to respect those settings.

Regarding your proxy's inability to fetch certain items, I don't know. Seems like that would be a question for the proxy admin.