NGINX with Reverse Proxy and CSF settings

[SPDTeam]

Hi all

I've recently installed NGINX with Reverse Proxy successfully.

The server had ConfigServer Security & Firewall (CSF) installed previous to this and I'm wondering are there any CSF setting that should be changed?

For example the lfd average high load emails include an Apache status attachment. This usually shows the Apache status at the time of the high load, but when I open it now it shows error " Unable to retrieve Apache Server Status [http://127.0.0.1/whm-server-status] - Unable to download: Forbidden ".

Assume this just need a config change somewhere, but there may be other recommendations others have come across.

Tried looking up info on the CSF forums, but nothing stands out. Any advice would be appreciated.

 

[cPRex]

Hey there! No, there are no settings in CSF that need to be adjusted when you install Nginx. I'm aware that LiteSpeed doesn't work with the Apache status as we have that documented here, but nginx should work normally.

I am not able to reach http://x.x.x.x/whm-server-status on my personal server, which doesn't have Nginx installed, but does have CSF/LFD so I'm wondering if that link should be something else? Is that the entire URL from the message?

 

[SPDTeam]

Hey there! No, there are no settings in CSF that need to be adjusted when you install Nginx. I'm aware that LiteSpeed doesn't work with the Apache status as we have that documented here, but nginx should work normally.

I am not able to reach http://x.x.x.x/whm-server-status on my personal server, which doesn't have Nginx installed, but does have CSF/LFD so I'm wondering if that link should be something else? Is that the entire URL from the message?

Hi cPRex

After a bit more digging in CSF I found that lfd.log also shows the same error as in the email.

CSF Configuration setting PT_APACHESTATUS is set to http://127.0.0.1/whm-server-status. With description "This is the Apache Server Status URL used in the email alert. Requires the Apache mod_status module to be installed and configured correctly".

This isn't installed on the server but must have been prior to NGINX installation, and mod_status module isn't available via EasyApache. Is this by design?.

Another thing I noticed, which may or maynot be related, is CSF System Statistics no longer show any Apache based stats post NGINX installation. This is the same for MUNIN as well.

 

[cPRex]

We do include the "status_module" as a package with Apache that can't be removed. You can see that with "httpd -M | grep status" on the system. This is the same as "mod_status" - mod_status - Apache HTTP Server Version 2.4

So it is normal that you don't see a way to install that since it shouldn't be removed/installed on any server as it just always there.

I can confirm that running "curl http://127.0.0.1/whm-server-status" from the server's command line does pull the correct report, but I wouldn't expect this to work in any type of clickable link as would then no longer be local. Are you able to run that from your local system with no issues?

 

[SPDTeam]

We do include the "status_module" as a package with Apache that can't be removed. You can see that with "httpd -M | grep status" on the system. This is the same as "mod_status" - mod_status - Apache HTTP Server Version 2.4

So it is normal that you don't see a way to install that since it shouldn't be removed/installed on any server as it just always there.

I can confirm that running "curl http://127.0.0.1/whm-server-status" from the server's command line does pull the correct report, but I wouldn't expect this to work in any type of clickable link as would then no longer be local. Are you able to run that from your local system with no issues?

Running "httpd -M | grep status" I get "status_module (shared)".

Running "curl http://127.0.0.1/whm-server-status" on the server I get the response:

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

 

[quietFinn]

I'd suggest that you check /etc/apache2/logs/error_log & /etc/apache2/logs/modsec_audit.log, you might see why that 403 error is given,

 

[cPRex]

Like @quietFinn said, this confirms the issue isn't with the module or with CSF, but there is something blocking that status page on the server.

 

[SPDTeam]

Like @quietFinn said, this confirms the issue isn't with the module or with CSF, but there is something blocking that status page on the server.

Figure out what the cause was, should have realised.

When NGINX with Reverse Proxy is installed it updates the Apache to new default ports. i.e. 80 to 81 and 443 to 444, etc.

Changing the PT_APACHESTATUS setting in CSF to include the new port resolved the issue. This also fixed the the CSF System Statistics Apache based stats as well.

Munin is still not showing Apache stats but assume its a similar issue. Just need to find the right config file.

 

[nwd]

Great catch @SPDTeam. Heres the detailed steps to resolve this issue for others.

1. Go to WHM > ConfigServer Security & Firewall > Firewall Configuration
2. Find and Edit PT_APACHESTATUS URL
   • Update URL to http://127.0.0.1:81/whm-server-status
   • ORIGINAL URL:: http://127.0.0.1/whm-server-status
3. Restart CSF/LFD