1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
.. _example-webserver-nginx:
=====================
nginx configuration
=====================
This example describes how to set up munin on nginx.
nginx does not spawn FastCGI processes by itself, but comes with an
external "spawn-fcgi" program.
We need one process for the graph rendering, and one for the html
generation.
Munin configuration
===================
This example assumes the following configuration in
/etc/munin/munin.conf
.. index::
pair: example; munin.conf
::
# graph_strategy should be commented out, if present
html_strategy cgi
FastCGI configuration
=====================
This will spawn two FastCGI processes trees. One for munin cgi
graphing and one for HTML generation. It will create a socket owned by
www-data, and run the processes as the "munin" user.
.. index::
pair: example; munin-cgi-graph invocation
.. code-block:: bash
spawn-fcgi -s /var/run/munin/fastcgi-graph.sock -U www-data \
-u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph
spawn-fcgi -s /var/run/munin/fastcgi-html.sock -U www-data \
-u munin -g munin /usr/lib/munin/cgi/munin-cgi-html
Note: Depending on your installation method, the "munin-\*-graph"
programs may be in another directory. Check Makefile.config if you
installed from source, or your package manager if you used that to
install.
Note: If you installed using the package manager on Debian or Ubuntu,
the /var/log/munin/munin-cgi-\*.log files may be owned by the
"www-data" user. This example runs the processes as the "munin" user,
so you need to chown the log files, and edit /etc/logrotate.d/munin.
Webserver configuration
=======================
.. index::
pair: example; nginx configuration
::
location ^~ /munin-cgi/munin-cgi-graph/ {
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock;
include fastcgi_params;
}
location /munin/static/ {
alias /etc/munin/static/;
}
location /munin/ {
fastcgi_split_path_info ^(/munin)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fastcgi-html.sock;
include fastcgi_params;
}
Authentication and group access
===============================
.. index::
pair: example; nginx authentication group configuration
If you have munin statistics, and need to allow some user (ie:
customers) to access only graphs for a subset of nodes, the easiest way
might be to use groups, and authentication with the exact same name as
the node-group name.
Here is an example of how to redirect the users to the group that
matches their name, and prevent any access to other groups. It also has
allow an admin user to see it all.
Warning: If you don't want users to get any information about the other
group names, you should also change the templates accordingly, and
remove any navigation part that might.
::
# Here, the whole vhost has auth requirements.
# You can duplicate it to the graph and html locations if you have
# something else that doesn't need auth.
auth_basic "Restricted stats";
auth_basic_user_file /some/path/to/.htpasswd;
location ^~ /cgi-bin/munin-cgi-graph/ {
# not authenticated => no rewrite (back to auth)
if ($remote_user ~ ^$) { break; }
# is on the right subtree ?
set $ok "no";
# admin can see it all
if ($remote_user = 'admin') { set $ok "yes"; }
# only allow given path
if ($uri ~ /cgi-bin/munin-cgi-graph/([^/]*)) { set $path $1; }
if ($path = $remote_user) { set $ok "yes"; }
# not allowed here ? redirect them where they should land
if ($ok != "yes") {
# redirect to where they should be
rewrite / /cgi-bin/munin-cgi-graph/$remote_user/ redirect;
}
fastcgi_split_path_info ^(/cgi-bin/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock;
include fastcgi_params;
}
location /munin/static/ {
alias /etc/munin/static/;
}
location /munin/ {
# not authenticated => no rewrite (back to auth)
if ($remote_user ~ ^$) { break; }
# is on the right subtree ?
set $ok "no";
# admin can see it all
if ($remote_user = 'admin') { set $ok "yes"; }
# only allow given path
if ($uri ~ /munin/([^/]*)) { set $path $1; }
if ($path = $remote_user) { set $ok "yes"; }
# not allowed here ? redirect them where they should land
if ($ok != "yes") {
# redirect to where they should be
rewrite / /munin/$remote_user/ redirect;
}
fastcgi_split_path_info ^(/munin)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fastcgi-html.sock;
include fastcgi_params;
}
|
