[Check_mk (english)] Check_MK Analyze config warns about http

Mäkelä, Antti Antti.Makela at vintor.fi
Mon Feb 25 10:04:50 CET 2019


We noticed something:

  HTTPS does work, but apparently if there is ever a redirect, such as when a user accesses site with https://server.name/sitename - the redirect goes to http://server.name/sitename/check_mk

  The redirects are apparently based on etc/apache/conf.d/omd.conf based on the incoming protocol. And OMD sees the incoming request always as http since there's the proxy setup in place.

  We really don't want to encrypt a connection twice. What's the best practice here? Should we run without separate Apache for OMD/Check_mk?

-- 
- Dr. Antti Mäkelä | Senior Architect | CCIE #20962 -
- Vintor Oy, Itsehallintokuja 6, 02600 Espoo | www.vintor.fi -

-----Original Message-----
From: checkmk-en <checkmk-en-bounces at lists.mathias-kettner.de> On Behalf Of Mäkelä, Antti
Sent: torstai 21. helmikuuta 2019 19.09
To: checkmk-en at lists.mathias-kettner.de
Subject: [Check_mk (english)] Check_MK Analyze config warns about http

Hi,

  the new 1.5.0 has "analyze config" functionality.

  It gives warning for several of our sites:

WARN: Site is using plain HTTP. Consider enabling HTTPS. (!)

  All well and good, but site *is* using HTTPS.What is needed to get rid of this warning? 

  I look at the source code and it says simply

    def execute(self):
        if html.is_ssl_request():
            yield ACResultOK(_("Site is using HTTPS"))
else:
            yield ACResultWARN(_("Site is using plain HTTP......

  So ok, it's checking whether the request came in as SSL.

  Well, *all* the requests come in as plain HTTP due to the fact that we are running Apache in "own" mode, under port 5000, and the "primary" Apache of the site actually grabs the incoming HTTPS and proxies it in plaintext to port 5000 on the localhost. I wouldn't consider this to be a security problem.

  However, am I missing something here? Or can I just ignore this warning? I thought that the best practice is to have a site run it's own webserver that is only accessible to localhost?

--
- Dr. Antti Mäkelä | Senior Architect | CCIE #20962 -
- Vintor Oy, Itsehallintokuja 6, 02600 Espoo | www.vintor.fi -
_______________________________________________
checkmk-en mailing list
checkmk-en at lists.mathias-kettner.de
Manage your subscription or unsubscribe
https://lists.mathias-kettner.de/cgi-bin/mailman/listinfo/checkmk-en


More information about the checkmk-en mailing list