Is it possible to use the Apache webserver as SSL proxy for PRTG?

Article Comments

This article applies to PRTG Network Monitor 12 or later

This article does NOT describe a full configuration of Apache. You might need to apply some security adjustments!!!

Using Apache Web Server as SSL Proxy for PRTG

There are some prerequisites that must be met if you plan to follow this article:

  • Basic knowledge of the Apache Webserver and rewrite rules
  • A running Apache web server
  • Activated modules: mod_ssl, mod_proxy, mod_proxy_http, mod_rewrite
  • Make sure the machine running PRTG is accessible from the machine running Apache

Configure PRTG

  • On the machine running the PRTG core server, open the PRTG Server Administrator tool and configure the PRTG web server to run without SSL on http (a custom http port may be used).
  • In the PRTG web interface, configure the same DNS name (Setup | System & Website, option DNS name) as you will use for the Apache later.

Configure Apache

Note: For reasons of simplicity we used the SSL certificates which are delivered with PRTG. If you want use your own SSL cert, please see: SSL Certificate Installation in Apache

  • Copy the PRTG certificate files (prtg.crt and prtg.key) from the machine where PRTG is installed (<PRTG Program Directory>\cert) to the machine where Apache is running (in this example to /var/www/cert).
  • Create a new file called vhost_prtg_ssl in your sites-available directory
  • Put the following content in it: 
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName yourdomain.com
        RewriteEngine on
        RewriteRule ^/(.*)$ http://YOUR_PRTG_SERVER/$1 [P,L]


        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /var/www/cert/prtg.crt
        SSLCertificateKeyFile /var/www/cert/prtg.key

</VirtualHost>
</IfModule>
  • -> Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (please make sure you have a valid A-Record for the used domain).
  • -> Replace "YOUR_PRTG_SERVER" with the internal server name used for PRTG (the IP also can be used). Don't forget to add the port if you use a non standard port.
  • Since PRTG runs in normal HTTP mode and thus it will create links without https, we will have to redirect them from http to https in Apache. To achieve this, create another file in your sites-available directory called vhost_prtg.
  • Put the following content in it: 
<VirtualHost *:80>
        ServerName yourdomain.com
        RewriteEngine on
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
  • -> Replace the ServerName ("yourdomain.com" in this case) with the DNS name set up in PRTG (Please make sure you have a valid A-Record for the used domain)
  • The ServerName and the set up DNS name in PRTG have to match in all files resp. PRTG itself
  • --> This will make Apache redirect all http requests to https.
  • Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.
  • Restart your Apache Webserver. Now you should be able to connect to PRTG via your SSL Proxy

Note: All external PRTG applications (Enterprise Console, PRTGdroid, iPRTG) should work with this solution as well.

Any feedback on the article or further suggestions are highly appreciated.

See also


Oct, 2012 - Permalink

You also missed: -Enable the SSL module: sudo a2enmod ssl sudo a2enmod rewrite -disable the default config with: sudo a2dissite 000-default.conf -The config files should be vhost_prtg_ssl.conf and vhost_prtg.conf, respectively. This in order to be compliant with the Apache config file modularity. -Then enable both site configs with: sudo a2ensite vhost_prtg_ssl sudo a2ensite vhost_prtg sudo service apache2 reload (with this you can skip the part: Then either create a symbolic link ("ln -s source target") in your sites-enabled directory for the just created files or just copy them over from sites-enabled.)


Oct, 2017 - Permalink

Can I use Apache as reverseproxy to handle PRTG as context?

https://mydomain.com/prtg -> http://myprtgserver

Best Regards Christian


Dec, 2017 - Permalink

Hello Christian,
please excuse the delay in our reply.

I was informed by the article's author that this is currently not possible due to the way PRTG internally handles links.

Best Regards,
Luciano Lingnau [Paessler Support]


Dec, 2017 - Permalink

Hello

Is it possible to use SSL between apache and PRTG? Otherwise all passwords are transfered in plaintext between the proxy and the PRTG webserver.

We use the SSL proxy to acces the webserver from the internet (for app without VPN).

Cheers


Jun, 2018 - Permalink

Dear vps,

I don't know about Apache's side, but PRTG can use HTTPS. This can be configured in the PRTG Administration Tool.


Jun, 2018 - Permalink

Hello

I figured out how to use an apache as a reverse proxy for PRTG while still being able to use internal HTTPS certificate:

<IfModule mod_ssl.c> <VirtualHost *:443> ServerName YOUR_SERVER.COM DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

  1. Possible values include: debug, info, notice, warn, error, crit,
  2. alert, emerg. LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on

  1. Adjust the following two lines to use your own certificate (lets encrypt works fine) SSLCertificateFile /etc/letsencrypt/live/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/privkey.pem

SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off

  1. Adjust following two lines according to your infrastructure ProxyPass / "https://INTERNAL_IP_OR_DNSNAME:443/" ProxyPassReverse / "https://EXTERNAL_IP_OR_DNSNAME:443/"

</VirtualHost> </IfModule>


Jun, 2018 - Permalink

due to this Information is at least 3 years old, I would like to do some follow up..

here is my vhost config for prtg:

## monitoring\\ <VirtualHost *:80>\\ ServerName monitoring.domain.com\\ RewriteEngine on\\ RewriteCond %{HTTPS} !=on\\ RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]\\ </VirtualHost>\\ \\ ## SSL_monitoring.domain.com\\ <VirtualHost *:443>\\ SSLEngine on\\ SSLProxyCheckPeerCN off\\ SSLProxyCheckPeerName off\\ SSLCertificateFile /_CERT/fullchain.pem\\ SSLCertificateKeyFile /_CERT/privkey.pem\\ SSLProxyVerify none\\ ProxyPreserveHost On\\ Protocols h2 http/1.1\\ Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"\\ ServerName monitoring.domain.com\\ <Proxy *:443>\\ Order allow,deny\\ Allow from all\\ </Proxy>\\ SSLProxyEngine on\\ ProxyPass / http://10.1.1.6:80/ retry=3 timeout=3000\\ ProxyPassReverse / http://10.1.1.6:80/\\ ErrorLog ${APACHE_LOG_DIR}/monitoring.domain.com.log\\ CustomLog ${APACHE_LOG_DIR}/monitoring.domain.com.log combined\\ </VirtualHost>

and this is my vhost ssl settings:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\\ SSLHonorCipherOrder off\\ SSLSessionTickets off\\ SSLUseStapling On\\ SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"\\

Settings on prtg:
- no ssl
- port 80

my apache version is:
Apache/2.4.38 (Debian)

It seems that everything is working, but accessing from outside, the devices are not showing up. The devices tab is completely empty.

also tested nginx - facing same issue.

anyone facing similar problems?


Nov, 2021 - Permalink

Yaya,

Are you logging into PRTG as an administrator account? Can you try logging into it with an incognito tab?

Benjamin Day
[Paessler Support]


Nov, 2021 - Permalink