Home /  Monit /  Unauthenticated Readonly Guest

Monit's built-in HTTP server offers a variety of authentication methods, but scenarios exist where access to the status web page need to be unauthenticated:

  • Where Monit is only accessible on a private network, so that users/helpdesk staff can quickly determine a host's status.
  • Where access to Monit's HTTP server is via a URL that already enforces access control based on source IP (e.g. http://www.example.com/admin/monit, and all access to resources under /admin are limited to trusted source IP addresses)

In these circumstances, it may be desirable for Monit to unconditionally render a read-only status page.

Procedure

This procedure assumes:

  • You are using Apache to proxy requests for Monit.
  • Apache is on the same host as Monit. If it isn't, you will need to change Monit's configuration to listen on the appropriate IP(s) and allow access from the Apache host.

Configure Monit to allow read-only access to a guest user

    set httpd port 2812 and
      use address localhost
      allow guest:guest readonly

Ensure Apache has mod_headers installed and enabled.

Debian and Ubuntu:

    # a2enmod headers
    # apache2ctl restart

Configure Apache to add authentication headers to requests for the Monit URL

Add the following block to your site's Apache configuration, changing the path to suit:

    RedirectMatch     ^/admin/monit  /admin/monit/

    ProxyRequests off
    ProxyPass         /admin/monit/  http://127.0.0.1:2812/
    ProxyPassReverse  /admin/monit/  http://127.0.0.1:2812/

    <Location /admin/monit/>
      RequestHeader set Authorization "Basic Z3Vlc3Q6Z3Vlc3Q="
    </Location>

This relies on the fact that HTTP basic authentication always sends the same fixed token for a given username and password.

Reload Apache and access your host on the relevant path, and you should now have read-only guest access.

If your username and password are not "guest" and "guest", then you will need to change the token sent in the "RequestHeader set" line. See https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side but for most Linux systems, this will generate the right token:

    $ echo -n username:password | base64
    dXNlcm5hbWU6cGFzc3dvcmQ=