# Running Netdata behind Apache's mod_proxy Below, you can find instructions for configuring an apache server to: 1. Proxy a single Netdata via an HTTP and HTTPS virtual host. 2. Dynamically proxy any number of Netdata servers. 3. Add user authentication. 4. Adjust Netdata settings to get optimal results. ## Requirements Make sure your apache has `mod_proxy` and `mod_proxy_http` installed and enabled. On Debian/Ubuntu systems, install apache, which already includes the two modules, using: ```sh sudo apt-get install apache2 ``` Enable them: ```sh sudo a2enmod proxy sudo a2enmod proxy_http ``` Also, enable the rewrite module: ```sh sudo a2enmod rewrite ``` ## Netdata on an existing virtual host On any **existing** and already **working** apache virtual host, you can redirect requests for URL `/netdata/` to one or more Netdata servers. ### Proxy one Netdata, running on the same server apache runs Add the following on top of any existing virtual host. It will allow you to access Netdata as `http://virtual.host/netdata/`. ```text RewriteEngine On ProxyRequests Off ProxyPreserveHost On Require all granted # Local Netdata server accessed with '/netdata/', at localhost:19999 ProxyPass "/netdata/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "/netdata/" "http://localhost:19999/" # if the user did not give the trailing /, add it # for HTTP (if the virtualhost is HTTP, use this) RewriteRule ^/netdata$ http://%{HTTP_HOST}/netdata/ [L,R=301] # for HTTPS (if the virtualhost is HTTPS, use this) #RewriteRule ^/netdata$ https://%{HTTP_HOST}/netdata/ [L,R=301] # rest of virtual host config here ``` ### Proxy multiple Netdata running on multiple servers Add the following on top of any existing virtual host. It will allow you to access multiple Netdata as `http://virtual.host/netdata/HOSTNAME/`, where `HOSTNAME` is the hostname of any other Netdata server you have (to access the `localhost` Netdata, use `http://virtual.host/netdata/localhost/`). ```text RewriteEngine On ProxyRequests Off ProxyPreserveHost On Require all granted # proxy any host, on port 19999 ProxyPassMatch "^/netdata/([A-Za-z0-9\._-]+)/(.*)" "http://$1:19999/$2" connectiontimeout=5 timeout=30 keepalive=on # make sure the user did not forget to add a trailing / # for HTTP (if the virtualhost is HTTP, use this) RewriteRule "^/netdata/([A-Za-z0-9\._-]+)$" http://%{HTTP_HOST}/netdata/$1/ [L,R=301] # for HTTPS (if the virtualhost is HTTPS, use this) RewriteRule "^/netdata/([A-Za-z0-9\._-]+)$" https://%{HTTP_HOST}/netdata/$1/ [L,R=301] # rest of virtual host config here ``` > IMPORTANT
> The above config allows your apache users to connect to port 19999 on any server on your network. If you want to control the servers your users can connect to, replace the `ProxyPassMatch` line with the following. This allows only `server1`, `server2`, `server3` and `server4`. ```text ProxyPassMatch "^/netdata/(server1|server2|server3|server4)/(.*)" "http://$1:19999/$2" connectiontimeout=5 timeout=30 keepalive=on ``` ## Netdata on a dedicated virtual host You can proxy Netdata through apache, using a dedicated apache virtual host. Create a new apache site: ```sh nano /etc/apache2/sites-available/netdata.conf ``` with this content: ```text ProxyRequests Off ProxyPreserveHost On ServerName netdata.domain.tld Require all granted ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "/" "http://localhost:19999/" ErrorLog ${APACHE_LOG_DIR}/netdata-error.log CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined ``` Enable the VirtualHost: ```sh sudo a2ensite netdata.conf && service apache2 reload ``` ## Netdata proxy in Plesk _Assuming the main goal is to make Netdata running in HTTPS._ 1. Make a subdomain for Netdata on which you enable and force HTTPS - You can use a free Let's Encrypt certificate 2. Go to "Apache & nginx Settings", and in the following section, add: ```text RewriteEngine on RewriteRule (.*) http://localhost:19999/$1 [P,L] ``` 3. Optional: If your server is remote, then replace "localhost" with your actual hostname or IP, it just works. Repeat the operation for as many servers as you need. ## Enable Basic Auth If you wish to add an authentication (user/password) to access your Netdata, do these: Install the package `apache2-utils`. On Debian/Ubuntu run `sudo apt-get install apache2-utils`. Then, generate password for user `netdata`, using `htpasswd -c /etc/apache2/.htpasswd netdata` **Apache 2.2 Example:**\ Modify the virtual host with these: ```text # replace the section Order deny,allow Allow from all # add a section AuthType Basic AuthName "Protected site" AuthUserFile /etc/apache2/.htpasswd Require valid-user Order deny,allow Allow from all ``` Specify `Location /` if Netdata is running on dedicated virtual host. **Apache 2.4 (dedicated virtual host) Example:** ```text RewriteEngine On ProxyRequests Off ProxyPreserveHost On ServerName netdata.domain.tld AllowOverride None AuthType Basic AuthName "Protected site" AuthUserFile /etc/apache2/.htpasswd Require valid-user ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "/" "http://localhost:19999/" ErrorLog ${APACHE_LOG_DIR}/netdata-error.log CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined ``` Note: Changes are applied by reloading or restarting Apache. ## Configuration of Content Security Policy If you want to enable CSP within your Apache, you should consider some special requirements for the headers. Modify your configuration like that: ```text Header always set Content-Security-Policy "default-src http: 'unsafe-inline' 'self' 'unsafe-eval'; script-src http: 'unsafe-inline' 'self' 'unsafe-eval'; style-src http: 'self' 'unsafe-inline'" ``` Note: Changes are applied by reloading or restarting Apache. ## Using Netdata with Apache's `mod_evasive` module The `mod_evasive` Apache module helps system administrators protect their web server from brute force and distributed denial-of-service attack (DDoS) attacks. Because Netdata sends a request to the web server for every chart update, it's normal to create 20–30 requests per second, per client. If you're using `mod_evasive` on your Apache web server, this volume of requests will trigger the module's protection, and your dashboard will become unresponsive. You may even begin to see 403 errors. To mitigate this issue, you will need to change the value of the `DOSPageCount` option in your `mod_evasive.conf` file, which can typically be found at `/etc/httpd/conf.d/mod_evasive.conf` or `/etc/apache2/mods-enabled/evasive.conf`. The `DOSPageCount` option sets the limit of the number of requests from a single IP address for the same page per page interval, which is usually 1 second. The default value is `2` requests per second. Netdata's typical usage will exceed that threshold, and `mod_evasive` will add your IP address to a blocklist. Our users have found success by setting `DOSPageCount` to `30`. Try this and raise the value if you continue to see 403 errors while accessing the dashboard. ```text DOSPageCount 30 ``` Restart Apache with `sudo systemctl restart apache2`, or the appropriate method to restart services on your system, to reload its configuration with your new values. ### Virtual host To adjust the `DOSPageCount` for a specific virtual host, open your virtual host config, which can be found at `/etc/httpd/conf/sites-available/my-domain.conf` or `/etc/apache2/sites-available/my-domain.conf` and add the following: ```text ... # Increase the DOSPageCount to prevent 403 errors and IP addresses being blocked. DOSPageCount 30 ``` See issues [#2011](https://github.com/netdata/netdata/issues/2011) and [#7658](https://github.com/netdata/netdata/issues/7568) for more information. ## Netdata configuration You might edit `/etc/netdata/netdata.conf` to optimize your setup a bit. For applying these changes, you need to restart Netdata. ### Response compression If you plan to use Netdata exclusively via apache, you can gain some performance by preventing double compression of its output (Netdata compresses its response, apache re-compresses it) by editing `/etc/netdata/netdata.conf` and setting: ```text [web] enable gzip compression = no ``` Once you disable compression at Netdata (and restart it), please verify you receive compressed responses from apache (it is important to receive compressed responses - the charts will be more snappy). ### Limit direct access to Netdata You would also need to instruct Netdata to listen only on `localhost`, `127.0.0.1` or `::1`. ```text [web] bind to = localhost ``` or ```text [web] bind to = 127.0.0.1 ``` or ```text [web] bind to = ::1 ``` You can also use a unix domain socket. This will also provide a faster route between apache and Netdata: ```text [web] bind to = unix:/tmp/netdata.sock ``` Apache 2.4.24+ can’t read from `/tmp` so create your socket in `/var/run/netdata` ```text [web] bind to = unix:/var/run/netdata/netdata.sock ``` At the apache side, prepend the second argument to `ProxyPass` with `unix:/tmp/netdata.sock|`, like this: ```text ProxyPass "/netdata/" "unix:/tmp/netdata.sock|http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ``` If your apache server is not on localhost, you can set: ```text [web] bind to = * allow connections from = IP_OF_APACHE_SERVER ``` `allow connections from` accepts [Netdata simple patterns](/src/libnetdata/simple_pattern/README.md) to match against the connection IP address. ## Prevent the double access.log Apache logs accesses and Netdata logs them too. You can prevent Netdata from generating its access log, by setting this in `/etc/netdata/netdata.conf`: ```text [logs] access = off ``` ## Troubleshooting mod_proxy Make sure the requests reach Netdata, by examining `/var/log/netdata/access.log`. 1. if the requests don’t reach Netdata, your apache doesn’t forward them. 2. if the requests reach Netdata but the URLs are wrong, you haven’t re-written them properly.