# Netdata monitoring, opening ports?

**URL:** https://discourse.roots.io/t/netdata-monitoring-opening-ports/9321
**Category:** trellis
**Created:** 2017-04-06T09:30:55Z
**Posts:** 11

## Post 1 by @nathobson — 2017-04-06T09:30:55Z

I’m trying to get [netdata](https://github.com/firehol/netdata) installed for monitoring purposes. I’ve used New Relic in the past but it requires installation from root and I have root login disabled on all Trellis instances.

I’ve got an Ansible role that gets netdata all installed and set up but I’m having issue accessing it. It’s accessed via port 19999 but I just get `ERR_CONNECTION_REFUSED`, which I had expected. However, I’m having issues opening the port up.

I’ve amended `ferm_input_list` located in `group_vars/all/security.yml` as follows:

```
ferm_input_list:
  - type: dport_accept
    dport: [http, https]
    filename: nginx_accept
  - type: dport_accept
    dport: [ssh]
    saddr: "{{ ip_whitelist }}"
  - type: dport_limit
    dport: [ssh]
    seconds: 300
    hits: 20
  - type: dport_accept
    dport: [19999]
    protocol: tcp
  - type: dport_accept
    dport: [19999]
    protocol: udp
```

But no luck there (either by provisioning with `--tags ferm` or a full provision). Any ideas?

---

## Post 2 by @swalkinshaw — 2017-04-06T22:45:27Z

`ferm_input_list` is pretty simple and your additions look correct. I don’t have any experience with netdata so maybe it’s something else

---

## Post 3 by @nathobson — 2017-04-07T09:50:04Z

Hummmm.

OK, well that’s good to know. I can access netdata if I SSH in and `curl 127.0.0.1:19999` but I’m guessing there’s an issue with passing an external request through nginx?

---

## Post 4 by @swalkinshaw — 2017-04-07T14:55:42Z

If netdata requires an HTTP server then yeah you’d need to define that in Nginx. Trellis recently got support for arbitrary sites: [https://roots.io/trellis/docs/nginx-includes/#sites-templates](https://roots.io/trellis/docs/nginx-includes/#sites-templates)

---

## Post 5 by @nathobson — 2017-04-07T15:52:00Z

Ah, interesting. Let me take shot at that.

---

## Post 6 by @nathobson — 2017-04-07T16:58:21Z

Perhaps a little in over my head – bit stuck debugging this. Looks like the Ansible/Nginx side is all fine but 99% sure the issue is down to my config. Not expecting a ton of support, this is pretty out there! I’ll list what I’ve done so far, in case anyone is interested :grinning:

I’ve updated Trellis to include the [recent Nginx sites configuration support](https://github.com/roots/trellis/commit/7894d2de38284d92af3475c43bee152db3224257).

I’ve added `nginx-includes/netdata.conf.site.j2`, which contains

```
# {{ ansible_managed }}

upstream backend {
    # the netdata server
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    # nginx listens to this
    listen 80;

    # the virtual host name of this
    server_name netdata.example.co.uk;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}
```

My `group_vars/production/main.yml` looks like this:

```
mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/production/vault.yml

nginx_sites_confs:
  - src: no-default.conf.j2
  - src: nginx-includes/netdata.conf.site.j2
```

I’ve run `ansible-playbook server.tml -e env=production --tags nginx-site` and also tried a full provision. Both run as expected.

And as in the OP, I’ve added port `19999` to `group_vars/all/security.yml`.

---

## Post 7 by @fullyint — 2017-04-07T19:29:22Z

I’m not familiar with all of this, but if you have SSL enabled for the primary site, any chance the trouble accessing the netdata subdomain on port 80 is an [HSTS](https://roots.io/trellis/docs/ssl/#hsts) subdomains issue?

> `hsts_include_subdomains` - also make _all_ subdomains be served over HTTPS (default: `true`)

(maybe related [comment/idea](https://github.com/roots/trellis/issues/741#issuecomment-276908640) of making the default `false`)

You’ll know better than I if hsts and https are relevant, but if so, perhaps you could have the virtual host listen on port 443 instead of 80, and maybe you’d want a redirect from http to https ([example](https://github.com/roots/trellis/blob/c1371e3bc231141e5703a4334f2048ef70486a95/roles/wordpress-setup/templates/wordpress-site.conf.j2#L158-L167)).

---

## Post 8 by @nathobson — 2017-04-07T20:31:59Z

Appreciate the reply.

I’m actually just testing this out of a non-production site, so no SSL to keep things simple.

---

## Post 10 by @Luke_Abell — 2019-03-16T02:59:54Z

@nathobson Did you ever get this figured out?

---

## Post 11 by @strarsis — 2019-03-17T22:08:54Z

I had a similar issue, but in that case it was the _hardware firewall_ in front of the cloud instance! I had to open the port in hardware firewall in cloud configuration panel, too.