Checkmk
to checkmk.com

1. Prerequisites

If you wish to install Checkmk over HTTPS the following prerequisites must be satisfied on your monitoring server — irrespective of your sites:

  • You must have a valid server certificate.

  • The apache module mod_ssl is installed and activated.

  • The server is reachable under HTTPS.

  • The Rewrite and the Header module for the web server is available and loaded.

2. Configuring an HTTPS-connection for a site

Add the following lines in the section for the VirtualHost:

/etc/apache2/sites-enabled/000-default
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]
RequestHeader set X-Forwarded-Proto "https"

The VirtualHost-configuration is found in these files — depending on the distribution being used:

Debian, Ubuntu

/etc/apache2/sites-enabled/000-default(.conf)

RHEL, CentOS

/etc/httpd/conf.d/ssl.conf

SLES

/etc/apache2/httpd.conf

Following a configuration change the web server must be restarted. The restart commands are different for each distribution:

root@linux# service httpd restart
root@linux# service apache2 restart
root@linux# systemctl restart httpd
root@linux# systemctl restart apache2

3. Additional options

3.1. Setting up HSTS

Making the Checkmk server only accessible via HTTPS is the first and most important step for securing connections to the monitoring. You can, however, increase the security with additional, optional settings. For example, the web server can tell the browser that in future it may only be accessed via HTTPS and that an unsecured connection via HTTP will always be rejected.

This technique is called 'HTTP Strict Transport Security' (HSTS) and is defined for a certain period of time in seconds. Once this period has expired, the browser checks again whether the limitation via HSTS is still valid. To set the option, add the following entry to the HTTPS configuration. Under Debian/Ubuntu, by default this is the file default-ssl.conf:

/etc/apache2/sites-enabled/default-ssl.conf
Header always set Strict-Transport-Security "max-age=31536000"

Important: First set a short time period — e.g. 3600 seconds — to test the setting, otherwise the connection may be permanently rejected in the case of an error! More on this at the Special functions and considerations below.

To see if the new setting works, you can use the curl programme to retrieve the server. Here only the first 4 lines of output are shown in this example:

root@linux# curl -I https://myHost/mySite/check_mk/login.py
HTTP/1.1 200 OK
Date: Tue, 01 Jun 2021 09:30:20 GMT
Server: Apache
Strict-Transport-Security: max-age=3600

Special functions and considerations

Setting up HSTS not only has the advantage of ensuring that only secure connections can be used. Its use also brings with it certain peculiarities of which one must be aware before making the switch:

  • Once the entry to the HSTS has been created by the user’s browser, it can only be removed — at least before the specified time expires — with appropriately detailed knowledge of the browser in question. Note that this does not apply to many users.

  • The connection will be rejected, if, among other things the certificate has expired or has been replaced by a self-signed one. Such sites cannot be bypassed even with an exception.

  • Conversely, HSTS is only taken into account if the certificate is trusted when the connection is first established, otherwise the browser will not create an entry for the certificate.

On this page