Tunneling (Proxying) ntop through Apache

ntop is a great application. One of its best features is the ready-to-go web server it comes with. You can tell ntop to launch an http or https only (or both) server when it starts. By default ntop will listen on port 3000 for incoming http/https requests.

Unfortunately I like to keep everything organized. I'd like to access my ntop without having to poke any more holes into my firewall. Optimally I wanted to configure an apache virtual host to point to some tidy folder (perhaps /usr/share/ntop/webserver) and then rely on my already configured apache to host up the ntop web files. Well it's not the easy, but it is possible!

If you look at the ntop (mis) Usage Notes (http://www.ntop.org/UsageNotes.html) they provide some tips on proxying ntop through apache with the apache proxy and proxy_http modules. So I said, cool, let me try that!

So on my Gentoo box I ran:

APACHE2_MODULES="${APACHE2_MODULES} proxy proxy_http" emerge apache

Then inside of my vhosts.conf I found the entry for my super-secret applications SSL virtual host subdomain and added:

ProxyPass /ntop/ http://localhost:3000/

Then, still following the ntop tutorial, added the following to my .htaccess file. This help's with ntop's linkage-setup:

RewriteEngine On
RewriteCond %{HTTP_REFERER} prosauce.org/ntop
RewriteCond %{REQUEST_URI} !^/ntop
RewriteRule ^/(.*)$ https://secure.prosauce.org/ntop/$1 [L,P]

Here it's important to add the "P" next to the "L" to tell the rewrite module that this is a proxy type rewrite.

So this works great and all, until you realize that things like "style.css" include images which do not have an prosauce.org/ntop referer, they have a prosauce.org/style.css which means your images don't show up. Also, any includes from the javascript in the %lt;header%gt; will not be re-written since they don't have the correct header either.

Here's a small capture from Firebug to verify that, although the rewrite rule is including the correct file, any auxiliary http requests will be referred by https://secure.prosauce.org:

ntop (Mis) Usage Problem

So after reading a bit more literature I found this page: (http://www.apachetutor.org/admin/reverseproxies) which provides some needed information about how to properly use proxying with apache. This page: (http://www.ntop.org/trac/wiki/ntop) was also essential to solving my ntop woes.

What I really wanted was some script to go through the proxied pages and rewrite all the links to include a /ntop/. As unreasonable as it sounds, there is actually an apache module for proxying that does just this! It's called proxy_html. So on Gentoo the installation is as easy as:

emerge mod_proxy_html

Then starting apache with an additional -D PROXY_HTML, but for others you may need to include a few lines to the httpd.conf file:

LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
Include /etc/apache/modules.d/name_of_your_proxy_html_conf.conf

The name_of_your_proxy_html_conf file will define the rules which the proxy html module will use to rewrite links and such. Freaking sweet!

So, back to the vhost.conf file, here is what should go into the virtual host configuration to have ntop work proporly in apache:

ProxyRequests Off
ProxyHTMLExtended On
ProxyPass /ntop/ http://127.0.0.1:3000/
<Location /ntop/>
  ProxyPassReverse /
  SetOutputFilter proxy-html
  ProxyHTMLURLMap / /ntop/
  ProxyHTMLURLMap /ntop/plugins/ntop /ntop/plugins/
  RequestHeader   unset   Accept-Encoding
</Location>

(At first all I saw was a white screen. It turned out that "SetOutputFilter proxy-html" was the culprit option. The problem ended up being that I wasn't including the mod_proxy_html.conf file which meant that mod_proxy_html was enabled without any rewrite rules. Apparently that results in a white screen... go figure.)

So at this point we're almost finished, whoo! But there was one more issue. The fancy .png pie charts on the summary page stopped showing up. :(

I opened the .png pages which we're just a bunch of html apparently in an editor before and after adding the "SetOutputFilter proxy-html" and compared the two.

ntop-image-compare

Well it looks like mod proxy html is working fine for the Script src's, but what's that in the body of the Script? a // turned into a /ntop//ntop/? Well that's not good.

To remedy this 'bug' I added one following line to the <Location> in my virtual hosts configuration.

ProxyHTMLURLMap /ntop//ntop/ //
Make sure this is immediately following the first ProxyHTMLURLMap option. This way, when the first option rewrites // to /ntop/ntop/ the second will rewrite it back to //. This was the only 'gotcha' I found with using the URLMap option from mod proxy html. I have not tested the plugins for ntop yet, I'm not sure how they'll react.
However, It seems like a nice solution to running ntop through apache. You can now add some fancy htaccess files and remotely access ntop without having to open any more holes in the firewall. :)