How to expose OP5 Monitor's API through a reverse proxy

Version Copied

This article was written for version 6.3.1 of op5 Monitor, it could work on both lower and higher version if nothing else is stated.

Introduction Copied

If you are in a situation where you need to expose Monitor’s API for use with external applications (like dashboards or the mobile app) the best solution is to use a reverse proxy.

In this how-to we will configure the Apache HTTP server as a reverse proxy and cover some basics steps for tightening security.

Exposing a op5 Monitor system directly to the Internet or other untrusted networks is not recommended. We encourage you to use a VPN solution or similar to restrict access.

Prerequisites Copied

• Basic Linux/UNIX knowledge
• Root-privileges on a server with network access to port 443 on the host running Monitor

Installation and configuration Copied

We will start off by installing the Apache HTTP server and it’s SSL module:

[root@reverseproxy ~]# yum install -y httpd mod_ssl

Create and edit /etc/httpd/conf.d/monitor-api-proxy.conf with your text editor of choice. The content of this file should look something like this:

<IfModule mod_proxy.c>        ProxyRequests Off        <Proxy *>                Order deny,allow                Allow from all        </Proxy>        ProxyPreserveHost On        ProxyVia On        SSLProxyEngine on        ProxyPass /api https://monitorhost:443/api        ProxyPassReverse https://monitorhost:443/api /api        CustomLog logs/access_monitor-api-proxy.log combined        ErrorLog logs/error_monitor-api-proxy.log</IfModule>

Replace “monitorhost” with the host name or IP-address of your Monitor server.

Restart the Apache HTTP server:

[root@reverseproxy ~]# service httpd restart

You should now have a working reverse proxy. You can test the setup with a web browser or with curl from your local system:

[user@desktop ~]# curl --insecure -u user:password https://reverseproxy/api/status/host/monitor/

Replace “reverseproxy” with the host name or IP-address of your reverse proxying server.

Security recommendations Copied

• Restrict access to the reverse proxy server with a firewall or similar
• Use certificates signed by a trusted certificate authority on both the reverse proxy host and the Monitor host
• Limit the reverse proxy to /api/status and /api/filter to only expose “read-only” information
• Configure your reverse proxy to verify the certificate of the Monitor server
• Install and configure the web application firewall mod_security to block brute-force login attempts