Skip to main content

Oxidized Quickstart

Oxidized is a "RANCID replacement" that has taken on a life of it's own.  Designed to automatically store, compare, and log configuration files from network based equipment.

I've never used RANCID, or rConfig, or Sweet, but I wanted to more than a fileshare of all the latest configs of our devices, which is what we were doing.

Oxidized the seemed the easiest to setup.

Here is how I setup one up from scratch.


Installation

  1. Setup an Ubuntu server.  I used 16.04.2, the LTS version available at the time.
    • When asked to create a user, make it oxidized
    • Set the timezone as UTC
    • Run apt-get update and get everything current.
  2. Install dependancies
    sudo apt-get install ruby ruby-dev libsqlite3-dev libssl-dev pkg-config cmake libssh2-1-dev
  3. Install oxidized.
    sudo gem install oxidized
  4. Install oxidized web front endsudo gem install oxidized-script oxidized-web
  5. run oxidized with no args.  This will create all the required directories, with a sample config in it.
    oxidized

Configuration

  1. Edit the /home/oxidized/.config/oxidized/config to customize your system.
I've inserted comments with the // before them.  This is not a valid operator, so don't attempt to use them. This is more to identify the places that you need to replace the defaults.  I'm not pretending to know what all of these settings mean, but I'm identifying the ones to change.  I don't recommend changing the other defaults unless you have a good reason. (for example, the thread counts)


  1. Copy the oxidized.services file from extras to /lib/systemd/system/
    sudo cp /var/lib/gems/2.3.0/gems/oxidized-0.19.0/extra/oxidized.service /lib/systemd/system
  2. Set the service to start at boot
    sudo systemctl enable oxidized.service
That should give you a fully functional Oxidized instance running. You can only access it from localhost.

Wait...  What?  You want authentication?  HTTPS?  Oxidized doesn't support that natively.  The preferred suggestion seems to be:
  • Run an NGINX instance on the same host, configured for HTTPS and authentication
  • Configure Oxidized to only answer 127.0.0.1 queries. (This is Oxidized's default configuration)

Setup a NGINX forward proxy to enable SSL

  1. Add nginx-extras
    apt-get install nginx-extras
  2. Remove the default site, and copy the example oxidized configuration to NGINX
    sudo rm /etc/nginx/sites-enabled/default
    sudo cp /var/lib/gems/2.3.0/gems/oxidized-0.19.0/extra/oxidized.nginx /etc/nginx/sites-enabled/default
  3. Edit the site config, and enable SSL
    sudo vi  /etc/nginx/sites-enabled/default
  4. Create the directory to hold the SSL certs
    sudo mkdir /etc/nginx/ssl
  5. Create the SSL certificates
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
  6. sudo systemctl reload nginx
Your site show be available to both http and https connections now.

Configure NGINX to enable LDAP auth

  1. Install Prereq's
    sudo apt-get install nodejs npm
    sudo apt install nodejs-legacy
  2. Create unprivelged user
    useradd --shell /sbin/nologin -m nginx-auth
  3. Clone the nginx-auth repository
     sudo -u nginx-auth -H git clone https://github.com/justinjahn/nginx-auth.git
  4. Installing NPM Packages
    cd /home/nginx-auth/nginx-auth
    sudo -u nginx-auth -H npm install
    (Note, i had issues with NPM, had it install it twice)
  5. Copy and edit the configuration file
    sudo -u nginx-auth -H cp config/default.json.dist config/default.json
    sudo -u nginx-auth -H vi config/default.json







  1. Install the LDAP Pam module
    sudo apt-get install libpam-ldapd
  2. Create the LDAP config File
    sudo vi /etc/pam.d/nginx_restricted

    auth    required     /lib/x86_64-linux-gnu/security/pam_listfile.so onerr=fail item=user \                     sense=allow file=/etc/nginx/restricted_users
    auth    required     /lib/x86_64-linux-gnu/security/pam_ldap.so
    account required     /lib/x86_64-linux-gnu/security/pam_ldap.so
  3. Create the list of allowed groups
    sudo vi /etc/nginx/restricted_users



Comments

  1. Hi Michael,

    Just wanted to say big thank you for your tutorial here! On a side note. Steps 6 and 7 are missing for nginx ldap auth. Can you update it? THANKS again!

    ReplyDelete

Post a Comment

Most Popular Posts

First Post!

In August 1999, I bought my own domain name, mpking.com .  This domain name. Over the years I've used a variety of blogging software. Initially I did all the website design myself, hand crafting the HTML myself. I even had one of those *Designed by Notepad* buttons. I still have one of the custom drop cap letters I made. Yea, it's really hard to see, because it's White text.  My first website, like most all bad websites of the early 2000, was black theme.  I ran the website off my computer in my room. I quickly tired of this, and moved onto a Blog software platform.  You used an actual program program, (I don't remember it's name) and you would type up your entry, then upload it to the website.  That tired quickly, as the software was at home, and most entries, then as now, revolved around work. Then I discovered FreeGuppy .  It was online CMS platform, and it was nearly perfect, for almost five years.I even developed some plugin's for the product. A