Enable Monit SSL
‘Why would I need to enable Monit SSL?’, you ask. Yep, you need SSL for Monit, because if you have authentication enabled, then it means sending your username and password credentials over the air or wire without encryption means even the chicken in Moana could easily intercept and readily figure out your plaintext credentials.
You don’t want that happening, because, if you’ve enabled start, restart, and stop of perhaps your Nginx or MySQL or PHP FPM, you don’t want someone going into your Monit dashboard to turn off your Nginx, for instance.
By default, SSL can be enabled on Monit in the monit configuration file, as indicated in this documentation.
However, like me, if you have Nginx sitting in front of every request going into your server, you probably are using Nginx as a proxy to the localhost running process of Monit.
If that’s you, then enabling at the Monit configuration level might just not be necessary.
Here’s a basic configuration to proxy requests via Nginx to your Monit, adapted from the docs as well:
server {
listen 443 ssl http2;
server_name status.example.co;
include /etc/nginx/ssl/globalssl.conf;
location / {
proxy_pass http://127.0.0.1:2812/;
proxy_set_header Host $host;
# rewrite ^/monit/(.*) /$1 break;
proxy_ignore_client_abort on;
}
}
server {
listen 80;
server_name status.example.co;
rewrite ^ https://$server_name$request_uri? permanent;
}
As usual, the include /etc/nginx/ssl/globalssl.conf will point to the configuration file holding your SSL info.
My globalss.conf file contains something like this:
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/domainName/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domainName/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'the cipher here';
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
With that said, you restart your Nginx, and you’re good to go with an SSL enabled Monit.
Remember, 2017 is the year to SSL #HTTPS everything!
