1
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: December 10, 2018, 06:43:53 pm »
you already can install icinga2 via FreeBSD ports. the configuration will be done per cli only until now but it works very well 
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: July 03, 2018, 11:57:03 am »
it's nearly the same to configure a satellite or a agent node. personally i don't need the satellite feature on my OPNsense. i am fine with the basic agent functionality
if you want to create a satellite you have to define a new satellite zone.
1. put your choosen zone name in constants.conf
2. zones.conf didn't need any changes
on your master you have to define the agent node as endpoint object in your choosen satellite zone. there you have to store the config in /etc/icinga2/zones.d/<MY-SATELLITE-ZONE>/endpoints.conf
if the key exchange for the encrypted connection was successfully the master will sync the satellite specific configuration to the satellite node. you can check the receipt of objects under /var/lib/icinga2/api/zones/*.
3. disable the include of local config objects in icinga2.conf to avoid the deployment of double objects
if you want to create a satellite you have to define a new satellite zone.
1. put your choosen zone name in constants.conf
Code: [Select]
...
const ZoneName = "<MY-SATELLITE-ZONE>"
...2. zones.conf didn't need any changes
Code: [Select]
/*
* Generated by Icinga 2 node setup commands
* on 2017-11-17 18:56:55 +0100
*/
object Endpoint "<MASTER-FQDN>" {
host = "<MASTER-IP>"
port = "5665"
}
object Zone "master" {
endpoints = [ "<MASTER-FQDN>" ]
}
object Zone "global-templates" {
global = true
}
object Endpoint NodeName {
}
object Zone ZoneName {
endpoints = [ NodeName ]
parent = "master"
}on your master you have to define the agent node as endpoint object in your choosen satellite zone. there you have to store the config in /etc/icinga2/zones.d/<MY-SATELLITE-ZONE>/endpoints.conf
Code: [Select]
object Endpoint "<AGENT-NODE-FQDN>" {
host = "<AGENT-NODE-IP>"
log_duration = 0s
}
object Zone "<AGENT-NODE-FQDN>" {
parent = "<MY-SATELLITE-ZONE>"
endpoints = [ "<AGENT-NODE-FQDN>" ]
}
if the key exchange for the encrypted connection was successfully the master will sync the satellite specific configuration to the satellite node. you can check the receipt of objects under /var/lib/icinga2/api/zones/*.
3. disable the include of local config objects in icinga2.conf to avoid the deployment of double objects
Code: [Select]
...
#include_recursive "conf.d"
...
3
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: July 03, 2018, 10:20:41 am »
sorry, i've forgot to mention the need of the package called monitoring-plugins (net-mgmt/monitoring-plugins). it contains all of the common check plugins for local and remote checks.
4
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: July 02, 2018, 10:07:01 pm »
all right. here is a example config for a agent node scenario:
/etc/icinga2/constants.conf
/etc/icinga2/zones.conf
/etc/icinga2/icinga2.conf
/etc/icinga2/constants.conf
Code: [Select]
/**
* This file defines global constants which can be used in
* the other configuration files.
*/
/* The directory which contains the plugins from the Monitoring Plugins project. */
const PluginDir = "/usr/lib/nagios/plugins"
/* The directory which contains the Manubulon plugins.
* Check the documentation, chapter "SNMP Manubulon Plugin Check Commands", for details.
*/
const ManubulonPluginDir = "/usr/lib/nagios/plugins"
/* The directory which you use to store additional plugins which ITL provides user contributed command definitions for.
* Check the documentation, chapter "Plugins Contribution", for details.
*/
const PluginContribDir = "/usr/lib/nagios/plugins"
/* Our local instance name. By default this is the server's hostname as returned by `hostname --fqdn`.
* This should be the common name from the API certificate.
*/
const NodeName = "<AGENT-NODE-FQDN>"
/* Our local zone name. */
const ZoneName = "<AGENT-NODE-FQDN>"
/* Secret key for remote node tickets */
const TicketSalt = ""/etc/icinga2/zones.conf
Code: [Select]
/*
* Generated by Icinga 2 node setup commands
* on 2017-11-17 18:56:55 +0100
*/
object Endpoint "<MASTER-FQDN>" {
host = "<MASTER-IP>"
port = "5665"
}
object Zone "master" {
endpoints = [ "<MASTER-FQDN>" ]
}
object Zone "global-templates" {
global = true
}
object Endpoint NodeName {
}
object Zone ZoneName {
endpoints = [ NodeName ]
parent = "master"
}/etc/icinga2/icinga2.conf
Code: [Select]
/**
* Icinga 2 configuration file
* - this is where you define settings for the Icinga application including
* which hosts/services to check.
*
* For an overview of all available configuration options please refer
* to the documentation that is distributed as part of Icinga 2.
*/
/**
* The constants.conf defines global constants.
*/
include "constants.conf"
/**
* The zones.conf defines zones for a cluster setup.
* Not required for single instance setups.
*/
include "zones.conf"
/**
* The Icinga Template Library (ITL) provides a number of useful templates
* and command definitions.
* Common monitoring plugin command definitions are included separately.
*/
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
/**
* This includes the Icinga 2 Windows plugins. These command definitions
* are required on a master node when a client is used as command endpoint.
*/
include <windows-plugins>
/**
* This includes the NSClient++ check commands. These command definitions
* are required on a master node when a client is used as command endpoint.
*/
include <nscp>
/**
* The features-available directory contains a number of configuration
* files for features which can be enabled and disabled using the
* icinga2 feature enable / icinga2 feature disable CLI commands.
* These commands work by creating and removing symbolic links in
* the features-enabled directory.
*/
include "features-enabled/*.conf"
/**
* Although in theory you could define all your objects in this file
* the preferred way is to create separate directories and files in the conf.d
* directory. Each of these files must have the file extension ".conf".
*/
include_recursive "conf.d"
5
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: July 02, 2018, 08:40:54 pm »
as mentioned above the port is called net-mgmt/icinga2. withit you can setup a icinga2 master instance (server), a satellite instance or basically an agent node. the agent node is useful to run local checks, for example checking the hardware-environment, special squid checks, local filesystem checks etc.
what did you exactly mean with config? do you need a example icinga2 config or a kind of config to build the package? excuse me this question, i'm not really familar with building a package from source.
what did you exactly mean with config? do you need a example icinga2 config or a kind of config to build the package? excuse me this question, i'm not really familar with building a package from source.
6
18.1 Legacy Series / Re: Icinga2 Monitoring Agent
« on: July 02, 2018, 07:07:30 pm »
i would also like to see a icinga2 package. unfortunately i had no luck to compile the source code myself 
7
German - Deutsch / Re: [SOLVED] Config Backup auf Nextcloud
« on: June 21, 2018, 12:42:47 pm »
Mit dem heutigen Update ist die Funktion nun enthalten Backups in der eigenen Nextcloud abzulegen. Was für ein Kennwort wird denn für die Verschlüsselung der Konfigurationsdatei benutzt? 
8
German - Deutsch / Re: Reverse Proxy mit HAProxy-Plugin
« on: May 06, 2017, 05:55:44 pm »
Danke für Deine Hilfe pingus
Ich bin Deinen Anweisungen gefolgt und konnte zuerst den HAProxy Dienst nicht starten. Der Fehler hierbei war, das ich bei der Frontend Listen Address das "*:443" zu wörtlich genommen habe. Hier muss scheinbar neben dem Port eine vollständige Adresse eingetragen werden. Ich habe nun "127.0.0.1:443" eingetragen und per NAT-Regel 443/TCP auf den lokalen Port 443, auf dem der HAProxy lauscht (siehe sockstat-Ausgabe), umgeleitet.
NAT-Regel
FW-Regel
Der HAProxy läuft nun aber meine Seite (Nextcloud-Installation) ist von außen nicht erreichbar. Nach ca. 30 Sekunden gibt es einen Timeout/Reject. Im Firewall Log tauchen keine Meldungen auf, im HAProxy Log hingegen schon. Dort sehe ich mehrmals die Zeile:
Hier noch meine HAProxy Config:
Ich bin Deinen Anweisungen gefolgt und konnte zuerst den HAProxy Dienst nicht starten. Der Fehler hierbei war, das ich bei der Frontend Listen Address das "*:443" zu wörtlich genommen habe. Hier muss scheinbar neben dem Port eine vollständige Adresse eingetragen werden. Ich habe nun "127.0.0.1:443" eingetragen und per NAT-Regel 443/TCP auf den lokalen Port 443, auf dem der HAProxy lauscht (siehe sockstat-Ausgabe), umgeleitet.
NAT-Regel
Code: [Select]
WAN TCP * * WAN address 443 (HTTPS) 127.0.0.1 443 (HTTPS) FW-Regel
Code: [Select]
IPv4 TCP * * 127.0.0.1 443 (HTTPS) * NAT Code: [Select]
sockstat | grep haproxy
www haproxy 17125 4 dgram -> /var/run/log
www haproxy 17125 5 stream /var/run/configd.socket
www haproxy 17125 6 stream /var/run/configd.socket
www haproxy 17125 9 stream /var/run/haproxy.socket.16847.tmp
www haproxy 17125 10 tcp4 127.0.0.1:80 *:*
www haproxy 17125 11 dgram (not connected)
www haproxy 17125 12 tcp4 127.0.0.1:443 *:*
root syslogd 22806 6 dgram /var/haproxy/var/run/logDer HAProxy läuft nun aber meine Seite (Nextcloud-Installation) ist von außen nicht erreichbar. Nach ca. 30 Sekunden gibt es einen Timeout/Reject. Im Firewall Log tauchen keine Meldungen auf, im HAProxy Log hingegen schon. Dort sehe ich mehrmals die Zeile:
Code: [Select]
haproxy[17125]: 80.187.xxx.xxx:6768 [06/May/2017:17:48:51.735] nc_ssl nc_ssl/<NOSRV> -1/-1/-1/-1/14 400 187 - - PR-- 0/0/0/0/0 0/0 "<BADREQ>"Hier noch meine HAProxy Config:
Code: [Select]
cat /usr/local/etc/haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket level admin
nbproc 1
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
# Frontend: nc ()
frontend nc
bind 127.0.0.1:80 name 127.0.0.1:80
mode http
option http-keep-alive
default_backend nc
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: nc
acl acl_590db1ef08fa94.67054859 hdr(host) -i www.example.com
# ACTION: nc
use_backend nc if acl_590db1ef08fa94.67054859
# Frontend: nc_ssl ()
frontend nc_ssl
bind 127.0.0.1:443 name 127.0.0.1:443
mode http
option http-keep-alive
default_backend nc_ssl
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: nc_ssl
acl acl_590db1b706db30.36331514 req.ssl_sni -i www.example.com
# ACTION: nc_ssl
use_backend nc_ssl if acl_590db1b706db30.36331514
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server acme_challenge_host 127.0.0.1:43580
# Backend: nc_ssl ()
backend nc_ssl
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server nc_ssl 10.254.80.215:443 ssl verify none
# Backend: nc ()
backend nc
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server nc 10.254.80.215:80
# statistics are DISABLED
9
German - Deutsch / Reverse Proxy mit HAProxy-Plugin
« on: April 29, 2017, 02:46:47 pm »
Hallo Forum,
ich versuche mich gerade daran OPNsense für mein privates Netzwerk einzurichten und komme auch ziemlich gut voran. Interfaces, VLANs, DNS, DHCP, OpenVPN, Squid und das LetsEncrypt-Plugin konnte ich konfigurieren - das funktioniert soweit
Was mir aktuell noch fehlt ist ein Reverse Proxy. Laut den Hinweisen/Empfehlungen hier im Forum soll man hierfür das HAProxy-Plugin verwenden. Leider scheitere ich aufgrund der umfangreichen Konfigurationsmöglichkeiten daran das Plugin für mich richtig einzustellen.
Kann mir bitte jemand unter die Arme greifen und grob die Schritte nennen die auszuführen sind um folgende Anforderung umzusetzen?
Ich möchte das alle eingehenden WAN-Anfragen betreffend HTTP/HTTPS an den Reverse Proxy umgeleitet werden. Der Proxy soll dann, wie bei den Squid Peer Mappings, anhand der aufgerufenen URL die Anfragen an einen bestimmten Webserver im LAN weiterleiten.
Danke & Gruß,
vita
ich versuche mich gerade daran OPNsense für mein privates Netzwerk einzurichten und komme auch ziemlich gut voran. Interfaces, VLANs, DNS, DHCP, OpenVPN, Squid und das LetsEncrypt-Plugin konnte ich konfigurieren - das funktioniert soweit
Was mir aktuell noch fehlt ist ein Reverse Proxy. Laut den Hinweisen/Empfehlungen hier im Forum soll man hierfür das HAProxy-Plugin verwenden. Leider scheitere ich aufgrund der umfangreichen Konfigurationsmöglichkeiten daran das Plugin für mich richtig einzustellen.
Kann mir bitte jemand unter die Arme greifen und grob die Schritte nennen die auszuführen sind um folgende Anforderung umzusetzen?
Ich möchte das alle eingehenden WAN-Anfragen betreffend HTTP/HTTPS an den Reverse Proxy umgeleitet werden. Der Proxy soll dann, wie bei den Squid Peer Mappings, anhand der aufgerufenen URL die Anfragen an einen bestimmten Webserver im LAN weiterleiten.
Danke & Gruß,
vita
Pages: [1]