nginx configuration

This example describes how to set up munin with Nginx. This document describes two alternative configurations: 1) serving static, cron-made graphs and HTML, and 2) serving dynamically-generated graphs and HTML using FastCGI.

Serving cron-made graphs and HTML

Nginx is quite good at serving static files, and as such the configuration is mostly in place already.

The paths are as in use on a Debian Linux system. Add the following to /etc/nginx/sites-enabled/default:

location /munin/static/ {
        alias /etc/munin/static/;
        expires modified +1w;
}

location /munin/ {
        auth_basic            "Restricted";
        # Create the htpasswd file with the htpasswd tool.
        auth_basic_user_file  /etc/nginx/htpasswd;

        alias /var/cache/munin/www/;
        expires modified +310s;
}

If this is a dedicated Munin server, you might want to redirect the front page as well:

location / {
        rewrite ^/$ munin/ redirect; break;
}

Using FastCGI

nginx does not spawn FastCGI processes by itself, but comes with an external “spawn-fcgi” program.

We need one process for the graph rendering, and one for the html generation.

Munin configuration

This example assumes the following configuration in /etc/munin/munin.conf

# graph_strategy should be commented out, if present
html_strategy cgi

FastCGI configuration

This will spawn two FastCGI processes trees. One for munin cgi graphing and one for HTML generation. It will create a socket owned by www-data, and run the processes as the “munin” user.

spawn-fcgi -s /var/run/munin/fastcgi-graph.sock -U www-data \
  -u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph

spawn-fcgi -s /var/run/munin/fastcgi-html.sock  -U www-data \
  -u munin -g munin /usr/lib/munin/cgi/munin-html-graph

Note: Depending on your installation method, the “munin-*-graph” programs may be in another directory. Check Makefile.config if you installed from source, or your package manager if you used that to install.

Note: If you installed using the package manager on Debian or Ubuntu, the /var/log/munin/munin-cgi-*.log files may be owned by the “www-data” user. This example runs the processes as the “munin” user, so you need to chown the log files, and edit /etc/logrotate.d/munin.

Webserver configuration

location ^~ /munin-cgi/munin-cgi-graph/ {
    fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock;
    include fastcgi_params;
}

location /munin/static/ {
    alias /etc/munin/static/;
}

location /munin/ {
    fastcgi_split_path_info ^(/munin)(.*);
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass unix:/var/run/munin/fastcgi-html.sock;
    include fastcgi_params;
}

Authentication and group access

If you have munin statistics, and need to allow some user (ie: customers) to access only graphs for a subset of nodes, the easiest way might be to use groups, and authentication with the exact same name as the node-group name.

Here is an example of how to redirect the users to the group that matches their name, and prevent any access to other groups. It also has allow an admin user to see it all.

Warning: If you don’t want users to get any information about the other group names, you should also change the templates accordingly, and remove any navigation part that might.

# Here, the whole vhost has auth requirements.
# You can duplicate it to the graph and html locations if you have
# something else that doesn't need auth.
auth_basic            "Restricted stats";
auth_basic_user_file  /some/path/to/.htpasswd;

location ^~ /cgi-bin/munin-cgi-graph/ {
    # not authenticated => no rewrite (back to auth)
    if ($remote_user ~ ^$) { break; }

   # is on the right subtree ?
    set $ok "no";
    # admin can see it all
    if ($remote_user = 'admin') { set $ok "yes"; }
    # only allow given path
    if ($uri ~ /cgi-bin/munin-cgi-graph/([^/]*)) { set $path $1; }
    if ($path = $remote_user) { set $ok "yes"; }

    # not allowed here ? redirect them where they should land
    if ($ok != "yes") {
        # redirect to where they should be
        rewrite / /cgi-bin/munin-cgi-graph/$remote_user/ redirect;
    }

    fastcgi_split_path_info ^(/cgi-bin/munin-cgi-graph)(.*);
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock;
    include fastcgi_params;
}

location /munin/static/ {
    alias /etc/munin/static/;
}

location /munin/ {
    # not authenticated => no rewrite (back to auth)
    if ($remote_user ~ ^$) { break; }

   # is on the right subtree ?
    set $ok "no";
    # admin can see it all
    if ($remote_user = 'admin') { set $ok "yes"; }
    # only allow given path
    if ($uri ~ /munin/([^/]*)) { set $path $1; }
    if ($path = $remote_user) { set $ok "yes"; }

    # not allowed here ? redirect them where they should land
    if ($ok != "yes") {
        # redirect to where they should be
        rewrite / /munin/$remote_user/ redirect;
    }

    fastcgi_split_path_info ^(/munin)(.*);
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass unix:/var/run/munin/fastcgi-html.sock;
    include fastcgi_params;
}