[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [monit] Blocking specific GET requests to M/Monit

From: Jan-Henrik Haukeland
Subject: Re: [monit] Blocking specific GET requests to M/Monit
Date: Tue, 03 Feb 2009 08:21:29 +0100

I second Alexander suggestions. Another alternative is to setup Apache in front of M/Monit as a proxy. I strongly recommend NOT exposing the mmonit server to the wild. Most importantly, since mmonit does not yet support SSL, login will be done in cleartext over the wire which is very bad. Also as a general security rule, tools like M/Monit should NOT be directly accessible from the cloud.

To setup Apache to proxy mmonit, you can add something like this to httpd.conf:

# Proxy mmonit
ProxyPass /mmonit/ http://localhost:8080/
ProxyPassReverse /mmonit/ http://localhost:8080/
<Location /monit/>
        Order deny,allow
        Deny from
        Allow from all

Using M/Monit behind an Apache proxy also has the added benefit that you can use SSL in Apache. This means that all communication between mmonit and clients are encrypted in the cloud, which means that login also will be secure.


On 2. feb.. 2009, at 22.17, Aleksander Kamenik wrote:

Christopher Opena wrote:
Hey everyone, just checking in to see if anyone else has had similar experiences with bots attempting to GET the usual 'azenv.php' and 'prx1.php' files in order to use them as proxies. I use mod_security in Apache to block these requests and also disable proxies in httpd.conf, but I'm not entirely sure how to go about doing this in M/Monit. My M/Monit site has its web UI open to the internet since we have a fairly mobile set of people accessing it from multiple networks (cafes, wifi, home, etc.)

I hope you're running on HTTPS then. And even so, I wouldn't trust internet cafe's etc as they still might be recording your passwords.

The real solution to your real problem is setting up a VPN (I'd recommend OpenVPN) and providing your people with a trusted inet enabled device. 404 requests to your server are not a problem.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]