Get OpenNMS
Get Involved
Get to Know Us
From OpenNMS
"It's not fun if it's working already"
That's why I looked for alternatives to using Apache2 as a reverse Proxy. First, Lighttpd came into view. Ligthy is cool, but too standard. Something more bizarre, slimmer and neater should be used!
So I ended up trying nginx; nginx is a very very lightweight httpd which does as well reverse proxying, loadbalancing, all kind of stuff apache2 can do as well - but slimmer. The config file is easy to understand and the concepts simple. Plus they work. Well, they work now.
Assumptions:
The opennms server has jetty running in the default config; it has two IP addresses, one public, one private. OpenNMS shall be reachable on both. The public is named "www.opennms.com" and the private is "www.opennms.org". You have a certificate created and ready to roll.
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
# Catchall servers on 80 for convenience:
#
# The private IP sends the user to the private https interface
#
server
{
listen 80;
server_name www.opennms.org
rewrite ^/(.*) https://www.opennms.org/opennms/ permanent;
}
#
# The public IP sends the user to the public https interface
#
server
{
listen 80;
server_name www.opennms.com;
rewrite ^/(.*) https://www.opennms.com/opennms/ permanent;
}
#
# Private https server
server {
listen 443;
server_name www.opennms.org;
# If the user requests any page *not* in the /opennms/ location (see below), send him there
location / {
rewrite ^/(.*) https://www.opennms.org/opennms/ permanent;
}
# If the request is for /opennms/, proxy to jetty
location /opennms/ {
proxy_set_header X-Real-IP $remote_addr;
#
# This line tells the openms application which URL to use as base_url:
#
proxy_set_header X-Host www.opennms.org;
proxy_set_header X-Forwarded-For $Proxy_add_x_forwarded_for;
#
# Here we point to Jetty
#
proxy_pass http://127.0.0.1:8980;
proxy_redirect default;
}
ssl on;
#
# change jetty.pem and jetty.key to the respective keys / cert files you have created
#
ssl_certificate /etc/ssl/jetty.pem;
ssl_certificate_key /etc/ssl/private/jetty.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}
# Copy the above to create a server which listens for www.opennms.com and replace .org with .com in the config
# this is your job ;-)
}
And in opennms.properties:
opennms.web.base-url = https://%x%c/
Zere we go. Start nginx. If you have a password in your ssl key, you will need to enter it twice (or once if you only have one IP for opennms and skipped the ".com" config above). If you have no pwd on the key it will start.
If you look at netstat, you should see something like
/etc/nginx # netstat -pant | grep ng tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 592/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 592/nginx
If you use a browser to access "www.opennms.org", alas, your server, you should be forwarded to https://www.opennms.org/opennms/. If you use a browser to access "https://www.opennms.org/bubu", you should go to opennms as well.
Comment: To have this level of convenience ("Type www.opennms.org and get to the WebUI") it is necessary to put the redirects in place; To catch "all" urls and send them to opennms it is then necessary to define the two locations. Technically you only need to define the path to jetty (eg forget about "Location /" and rename "Location /opennms/" to be "Location /"..). The user will then see an error message when he just types "https://www.opennms.org".
