Forum

I'm trying to run Munin with Hiawatha and, because my lack of experience with cgi software, I can't make it to draw graphs for my server.

This is what I've done so far;
Installed Munin from the official repositories: http://packages.debian.org/wheezy/munin
Edited /etc/munin/munin.conf:

dbdir   /var/lib/munin
htmldir /var/www/munin/http
logdir /var/www/munin/logs
rundir  /var/run/munin
cgitmpdir /var/lib/munin/cgi-tmp
includedir /etc/munin/munin-conf.d
graph_strategy cgi
html_strategy cgi
rrdcached_socket /var/run/rrdcached.sock
[localhost.localdomain]
    address 127.0.0.1
    use_node_name yes

Edited /etc/hiawatha/hiawatha.conf

ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log
LogFormat = extended
ServerString = Hiawatha
CGIwrapper = /usr/sbin/cgi-wrapper
Binding {
        Port = 80
        MaxKeepAlive = 30
        MaxRequestSize = 5120
        TimeForRequest = 3,20
}
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:60
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1
BanOnInvalidURL = 300
ReconnectDelay = 3
HideProxy = 127.0.0.1
MaxServerLoad = 0.8
CGIhandler = /usr/sbin/php5-fpm:php,php5,cgi
FastCGIserver {
        FastCGIid = PHP5
        ConnectTo = 127.0.0.1:9000
        Extension = php,php5,cgi
        SessionTimeout = 30
}
Hostname = 67.217.000.000
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
ExecuteCGI = yes
UseFastCGI = PHP5
Include /etc/hiawatha/sites-enabled/

Created a virtual host;

UrlToolkit {
        ToolkitID = munin
        RequestURI isdir Return
        RequestURI isfile Return
        Match ^/cgi-bin/munin-cgi-graph/(.*) Rewrite /$1 Continue
        Match ^/(.*).png$ Rewrite /usr/lib/cgi-bin/munin-cgi-graph/$1.png
        Match ^/(.*).html$ Rewrite /usr/lib/cgi-bin/munin-cgi-html/$1.html
}
VirtualHost {
   Hostname = munin.domain.com
   WebsiteRoot = /var/www/munin/http
   StartFile = index.html
   AccessLogfile = /var/www/munin/logs/access.log
   ErrorLogfile = /var/www/munin/logs/error.log
   TimeForCGI = 15
   UseFastCGI = PHP5
   UseToolkit = munin
   WebDAVapp = no
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   DenyBody = ^.*%3Ciframe.*%2F%3E.*$
   DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}

This is the /etc/hiawatha/php-fcgi.conf;

PidFile = /var/run/php5-fpm.pid
MaxRequests = 100
Server = /usr/sbin/php5-fpm ; 3 ; 127.0.0.1:9000 ; www-data ; /etc/php5/fpm/php.ini

And, this is what /etc/php5/fpm/php-fpm.conf looks like;

[global]
pid = /var/run/php5-fpm.pid
error_log = /var/log/php5-fpm.log
process.max = 10
include=/etc/php5/fpm/pool.d/*.conf

When I compared the sample Apache configuration rewrite rules on Munin website with my wigwam debugging results, the UrlToolkit I've created seems working as it should.

url: /static/
old: /static/

url: /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/if_eth0-day.png
new: /usr/lib/cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/if_eth0-day.png

url: /localdomain/localhost.localdomain/if_eth0.html
new: /usr/lib/cgi-bin/munin-cgi-html/localdomain/localhost.localdomain/if_eth0.html

I feel like the problem is related to cgi execution. I believe empty /var/log/munin/munin-cgi-graph.log and /var/log/munin/munin-cgi-html.log files are also hinting this

What am I doing wrong? I'm running php quite well with the above settings, by the way. Is the php-fpm the wrong tool to begin with this sort of software?


Hiawatha version: 8.4
Operating System: Debian Wheezy

Match ^/(.*).png$ Rewrite /usr/lib/cgi-bin/munin-cgi-graph/$1.png
Match ^/(.*).html$ Rewrite /usr/lib/cgi-bin/munin-cgi-html/$1.html

This can't be right. You need to rewrite an URL to something that is located in the webroot directory. I'm very sure that there ain't no directory /usr/lib present in your WebsiteRoot directory.

Oops, your are right, there isn't any

According to Munini Wiki [munin-monitoring.org], this is the proposed way for running it under Apache:

<VirtualHost *:80>
    ServerName munin.example.org
    ServerAlias munin

    ServerAdmin  info@example.org

    DocumentRoot /srv/www/munin.example.org

    ErrorLog     /var/log/apache2/munin.example.org-error.log
    CustomLog    /var/log/apache2/munin.example.org-access.log combined

    ServerSignature Off

    Alias /static /etc/munin/static

    # Rewrites
    RewriteEngine On

    # HTML
    RewriteCond %{REQUEST_URI} !^/static
    RewriteCond %{REQUEST_URI} .html$ [or]
    RewriteCond %{REQUEST_URI} =/
    RewriteRule ^/(.*)          /usr/lib/cgi-bin/munin-cgi-html/$1 [L]

    # Images

    # - remove path to munin-cgi-graph, if present
    RewriteRule ^/cgi-bin/munin-cgi-graph/(.*) /$1

    RewriteCond %{REQUEST_URI}                 !^/static
    RewriteCond %{REQUEST_URI}                 .png$
    RewriteRule ^/(.*) /usr/lib/cgi-bin/munin-cgi-graph/$1 [L]

    # Ensure we can run (fast)cgi scripts
    <Directory "/usr/lib/cgi-bin">
	Options +ExecCGI
	<IfModule mod_fcgid.c>
	    SetHandler fcgid-script
	</IfModule>
	<IfModule !mod_fcgid.c>
	    SetHandler cgi-script
	</IfModule>
    </Directory>

</VirtualHost>

Does Apache supports rewriting urls out of web root?

I have no idea. Haven't used Apache for about ten years.

That's quite understandable, I believe no one would expect otherwise from a person who wrote his own webserver

Last I checked (quite some time ago), apache has an option that allows soft links to outside the web root.

Did you get this working? I'm looking to do the same thing.

You can use the FollowSymlinks setting for that. See the manual page for more information about this setting.

Not yet.

I don't know why I've never thought the "FollowSymlinks" option before I might give it a try. Thanks Hugo.

FWIW, it works out of the box for me using the 'alias = /munin:/var/cache/munin/www' parameter in the VirtualHost section.

One small issue is that if I password protect the /var/cache/munim/www directory using a .hiawatha file, the text displays, but the graphs (which are in sub-directories) don't display.

It is like the .hiawatha setting doesn't ripple down to sub-directories. I haven't bothered to investigate it or to set .hiawatha files in all the sub-dirs as I'm not particularly bothered by exposing munin to the world.

When using the PasswordFile option in a .hiawatha, make sure to specify the complete path to your password file. Otherwise, Hiawatha doesn't know when to look when a file is requested from a subdirectory. If you use only the filename of the password file, it will look for that file in the subdirectory itself.