Issues with Access LibreNMS Externally

Help
1

Hello All,

I am having an issue with accessing LibreNMS external to the subnet it lives on. I’m running the app on a ubuntu server 16.04.5 LTS VM (because I previously had issues with it on a 18.04 install) with nginx.

TL;DR, when I access the GUI on the same subnet as the host, the GUI loads fine and I have no issues. However, when I access the GUI from a natted IP (I have a firewall that the server lives behind, and it NATs to an external IP and a different internal IP [depending on the location the user that needs to access the GUI is coming from]), none of the images or essentially what I imagine is the PHP, loads.

I have tried modifying the /etc/nginx/conf.d/librenms.conf file, because I thought this was related to the “server_name” section not properly being correlated to the natted IP, but I have changed it from the internal IP, the internal domain name (a .local domain), to the external domain name, to the external IP, and none of the the changes to that have resolved the issue.

Has anyone encountered this and knows how to fix it? I had LibreNMS installed on a different VM previously and thought I encountered this and the fix was to change that conf file to be the internal IP, but the issue persists.

Any assistance would be greatly appreciated.

Thank you!

2

For insight, the validation on the install is fine, and we already configured 4 devices to report SNMP data to the server:

root@nms:~# /opt/librenms/validate.php

Component Version
LibreNMS 1.47-97-g1bb782b
DB Schema 2019_01_16_195644_add_vrf_id_and_bgpLocalAs (131)
PHP 7.0.32-0ubuntu0.16.04.1
MySQL 10.0.36-MariaDB-0ubuntu0.16.04.1
RRDTool 1.5.5
SNMP NET-SNMP 5.7.3

====================================

[OK] Composer Version: 1.8.0
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[WARN] Your install is over 24 hours out of date, last update: Wed, 23 Jan 2019 14:36:55 +0000
[FIX]:
Make sure your daily.sh cron is running and run ./daily.sh by hand to see if there are any errors.
root@nms:~#

3

Further update, I have updated the server to listen on HTTPS/SSL and have configured it with a signed cert, updated the /etc/nginx/conf.d/librenms.conf file with the subdomain assigned, and it’s still not loading images externally.

4

Hi,

This is out of the scope of LibreNMS but I will try to help you anyways.

Can you explain better your network diagram?

When you say no images are loaded…Means that you could reach the login page and, after login, nothing loads?

What does the developer console (F12) sais in the Network tab when you load?

6

Hey TheGreatDoc,

I appreciate you trying to help. I’m a network security engineer, so this is a bit outside my realm (php and web-based administration) haha.

In short, the network overview is

ISP > Enterprise firewall (NATs the VM to a public IP) > vSwitch (basically just a dumb virtual switch operating on a flat VLAN) > NMS Server.

I was working on getting SSL working with a certificate, and was hoping that would solve the issue. Unfortunately, externally it doesn’t. However, when I got on-site I was having the same issue internally that I described in the original post. I only captured a screenshot of the page before I fixed it for internal users again (had to create an internal DNS A-record to point to the internal IP for the public domain name). So, I don’t have a screenshot of the network tab output yet, now that I’m on-site and it’s fixed internally. But hopefully the screenshot provides some insight. Pretty sure this is PHP related, but honestly have no clue.

LibreNMS_GUI_Issue
LibreNMS_GUI_Issue1290×1180 45.5 KB

7

That mostly appears to be an incorrect vhost/config.

Whats your vhost/DNS/FQDN AND what you have configured in config.php for $config['base_url'] = "";??

You can obscure domain with domain.tld or whatever you want.

If your librenms is at nms.domain.tld, configured server_name must be the same.

8

Hey TheGreatDoc,

I originally had not set this, so I changed it.

//Original value
root@nms:/home/xxx# cat /opt/librenms/config.php | grep url
#$config[‘base_url’] = “http://librenms.company.com”;
root@nms:/home/xxx#

//Changed value
root@nms:/home/xxx# cat /opt/librenms/config.php | grep url
$config[‘base_url’] = “http://nms.DOMAIN.com”;
root@nms:/home/xxx#

(the DOMAIN is clearly our domain)

The nginx librenms conf file already has the proper server_name set.

I tried changing that to https, since it’s over SSL and no change either. I just opened the firewall rule temporarily to allow from any internet source and tested on my phone; no pictures or anything except basic ASCII text showing like in the previous screenshot.

Could you please elaborate on what you mean by vhost? A quick google search seems like that’s apache related…sorry if that is a rudimentary question…

9

vhost is webserver related (apache, nginx, whatever).

If your DNS is nms.domain.com, base_url must be nothing or nms.domain.com.

Also, that should be equal to your server_name configuration in nginx.

You can open developer console with F12, then Network tab, then refresh.

That will print where is trying to get the files from, and the error code.

Capture and upload here that screen (remember to obscure sensitive data from the pic)

10

Here it is. I think we can ignore all the CERT_AUTHORITY_INVALID errors. That’s likely due to SSL inspection on our firewall, because Chrome is validating the certificate perfectly fine. Also, had to replace the regarding ‘.’ with <.> so they wouldn’t shop up as links. All of this was red in that window as errors.

Blockquote
nms<.>domain<.>com/:16 GET hxxps://nms<.>domain<.>com/css/bootstrap.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:17 GET hxxps://nms<.>domain<.>com/css/bootstrap-datetimepicker.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:18 GET hxxps://nms<.>domain<.>com/css/bootstrap-switch.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:19 GET hxxps://nms<.>domain<.>com/css/toastr.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:20 GET hxxps://nms<.>domain<.>com/css/jquery-ui.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:21 GET hxxps://nms<.>domain<.>com/css/jquery.bootgrid.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:22 GET hxxps://nms<.>domain<.>com/css/tagmanager.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:23 GET hxxps://nms<.>domain<.>com/css/mktree.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:24 GET hxxps://nms<.>domain<.>com/css/vis.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:25 GET hxxps://nms<.>domain<.>com/css/font-awesome.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:26 GET hxxps://nms<.>domain<.>com/css/jquery.gridster.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:27 GET hxxps://nms<.>domain<.>com/css/leaflet.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:28 GET hxxps://nms<.>domain<.>com/css/MarkerCluster.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:29 GET hxxps://nms<.>domain<.>com/css/MarkerCluster.Default.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:30 GET hxxps://nms<.>domain<.>com/css/L.Control.Locate.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:31 GET hxxps://nms<.>domain<.>com/css/leaflet.awesome-markers.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:32 GET hxxps://nms<.>domain<.>com/css/select2.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:33 GET hxxps://nms<.>domain<.>com/css/select2-bootstrap.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:34 GET hxxps://nms<.>domain<.>com/css/query-builder.default.min.css net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:35 GET hxxps://nms<.>domain<.>com/css/styles.css?ver=20181201 net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:36 GET hxxps://nms<.>domain<.>com/css/light.css?ver=632417642 net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:37 GET hxxps://nms<.>domain<.>com/js/polyfill.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:38 GET hxxps://nms<.>domain<.>com/js/jquery.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:39 GET hxxps://nms<.>domain<.>com/js/bootstrap.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:40 GET hxxps://nms<.>domain<.>com/js/bootstrap-hover-dropdown.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:41 GET hxxps://nms<.>domain<.>com/js/bootstrap-switch.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:42 GET hxxps://nms<.>domain<.>com/js/hogan-2.0.0.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:43 GET hxxps://nms<.>domain<.>com/js/jquery.cycle2.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:44 GET hxxps://nms<.>domain<.>com/js/moment.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:45 GET hxxps://nms<.>domain<.>com/js/bootstrap-datetimepicker.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:46 GET hxxps://nms<.>domain<.>com/js/typeahead.bundle.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:47 GET hxxps://nms<.>domain<.>com/js/jquery-ui.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:48 GET hxxps://nms<.>domain<.>com/js/tagmanager.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:49 GET hxxps://nms<.>domain<.>com/js/mktree.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:50 GET hxxps://nms<.>domain<.>com/js/jquery.bootgrid.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:51 GET hxxps://nms<.>domain<.>com/js/handlebars.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:52 GET hxxps://nms<.>domain<.>com/js/pace.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:53 GET hxxps://nms<.>domain<.>com/js/qrcode.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:54 GET hxxps://nms<.>domain<.>com/js/jquery.lazyload.min.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:55 GET hxxps://nms<.>domain<.>com/js/lazyload.js net::ERR_CERT_AUTHORITY_INVALID
nms<.>domain<.>com/:56 GET hxxps://nms<.>domain<.>com/js/select2.min.js net::ERR_CERT_AUTHORITY_INVALID
(index):57 GET hxxps://nms<.>domain<.>com/js/librenms.js?ver=20190122 net::ERR_CERT_AUTHORITY_INVALID
(index):69 GET hxxps://nms<.>domain<.>com/js/overlib_mini.js net::ERR_CERT_AUTHORITY_INVALID
(index):70 GET hxxps://nms<.>domain<.>com/js/toastr.min.js net::ERR_CERT_AUTHORITY_INVALID
(index):74 Uncaught ReferenceError: updateResolution is not defined
at (index):74
(anonymous) @ (index):74
(index):239 Uncaught ReferenceError: Bloodhound is not defined
at (index):239
(anonymous) @ (index):239
(index):400 Uncaught ReferenceError: $ is not defined
at (index):400
(anonymous) @ (index):400
(index):614 GET hxxps://nms<.>domain<.>com/js/jquery.gridster.min.js net::ERR_CERT_AUTHORITY_INVALID
(index):469 Uncaught ReferenceError: $ is not defined
at (index):469
(anonymous) @ (index):469
(index):84 GET hxxps://nms<.>domain<.>com/images/librenms_logo_light.svg net::ERR_CERT_AUTHORITY_INVALID
(index):629 Uncaught ReferenceError: Gridster is not defined
at (index):629
(anonymous) @ (index):629
(index):1050 Uncaught ReferenceError: toastr is not defined
at (index):1050
(anonymous) @ (index):1050
(index):1055 Uncaught ReferenceError: $ is not defined
at (index):1055
(anonymous) @ (index):1055
(index):1062 Uncaught ReferenceError: toastr is not defined
at (index):1062
(anonymous) @ (index):1062
/images/manifest.json:1 GET hxxps://nms<.>domain<.>com/images/manifest.json net::ERR_CERT_AUTHORITY_INVALID
/images/favicon-32x32.png:1 GET hxxps://nms<.>domain<.>com/images/favicon-32x32.png net::ERR_CERT_AUTHORITY_INVALID
/images/favicon-16x16.png:1 GET hxxps://nms<.>domain<.>com/images/favicon-16x16.png net::ERR_CERT_AUTHORITY_INVALID

11

The Network tab:

image
image1168×771 34.9 KB

12

Sorry, copied the console output from below it. Here’s the screenshot.

LibreNMS_Chrome_Network2
LibreNMS_Chrome_Network21728×1800 121 KB

13

Are codes 404? They doesnt appear in the image.

If they are 404, that means something is blocking them or an incorrectly configured nginx

14

Yep, they are 404, but I don’t get why…here’s the nginx conf file (obsecured obvious configs).

Blockquote
root@nms:/home/XXX# cat /etc/nginx/conf.d/librenms.conf
server {
server_name nms<.>DOMAIN<.>com;
root /opt/librenms/html;
index index.php;

Blockquote
charset utf-8;
gzip on;
gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /api/v0 {
try_files $uri $uri/ /api_v0.php?$query_string;
}
location ~ .php {
include fastcgi.conf;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}

listen 443 ssl;
ssl_certificate <PATH_TO_CERT>/nms<.>DOMAIN<.>com/fullchain.pem;
ssl_certificate_key <PATH_TO_CERT_KEY>/nms<.>DOMAIN<.>com/privkey.pem;
include <PATH_TO_SSL>/options-ssl-nginx.conf;
ssl_dhparam <PATH_TO_DHGROUPS>/ssl-dhparams.pem;

}
server {
if ($host = nms<.>DOMAIN<.>com) {
return 301 https://$host$request_uri;
}

listen 80;
server_name nms<.>DOMAIN<.>com;
return 404;

}
root@nms:/home/xxx#

15

Is anyone able to assist with the issues noted above, in terms of which external access to the NMS GUI is not loading any images, and appears to be an issue with the NGINX configuration?