How to configure allmon3 to listen on specific IP and port and disable ipv6?

Installed entire allstar3 package for Raspberry Pi3:
PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://allstarlink.org
SUPPORT_URL=“https://community.allstarlink.org
BUG_REPORT_URL=“xxxx://github.com/AllStarLink/asl3-pi-appliance/”
VARIANT=“AllStarLink System Manager”
VARIANT_ID=“AllStarLink”

I use postfix, ssh, webmin on many remote devices. These programs have config file settings to limit IP binding, listen port selection, disable ipv6, etc.

Where can I find these needed settings for allmon?

thanks
oldunixguy

The ASL3 Raspberry Pi Appliance installs the “apache” web server. You will find the configuration files in the “/etc/apache2” directory.

See /etc/allmon3/web.ini for WS_BIND_ADDR= to limit the binding address. You cannot “disable IPv6” though.

Thanks! … I set it to WS_BIND_ADDR = 127.0.0.1
But after setting this setting in web.ini and rebooting I get this netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:16080 0.0.0.0:* LISTEN 978/python3
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 750/apache2
tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/init

And browsing to https://:9090 does bring up the allmon login page…
It seems this setting is being ignored.

thanks
oldunixguy

Port 9090 is for the Cockpit admin tool. Allmon should be accessible at the the standard webport under /allmon3/. For example http://192.0.2.10/allmon3/.

Adding to (and repeating) what N8EI wrote :

The LISTEN ports you noted are actually from 3 different processes.

  • The process listening on port 16080 is Allmon3 and you have already changed the bind address.
  • The process listening on port 443 is Apache. As I wrote above, you will find configuration files in the “/etc/apache2” directory.
  • The process listening on port 9090 is Cockpit. Check man cockpit.conf and man cockpit-ws.conf for more info.

OK. Then when N8EI said " See /etc/allmon3/web.ini for WS_BIND_ADDR= to limit the binding address" this must be false or there is a bug. As you can see from the netstat after setting WS_BIND_ADDR to the loopback addr port 9090 is STILL listening on ALL addresses!

As for those other ports, they just happened to be shown before the port in question, 9090, and caught up in the screen grab.

Regardless what this component is called, it is the one that is linked from the port 80 http jump off page and explicitly written in the URL with port 9090. And N8EI specifically said the WS_BIND_ADDR in web.ini restricted the program listening on 9090, which was my original question.

I DID check the /etc/apache2/ files and they only dealt with 80 and 443, which I dont care about and did not inquire about.

So, is the failure of setting WS_BIND_ADDR in /etc/allmon3/web.ini WRONGLY defined or a BUG?

In either case, this is important.

/etc/cockpit/cockpit.conf only contain:
[WebService]
LoginTo=false

And the port, which I didn’t inquire about or need to change ironically is far away at /usr/lib/systemd/system/cockpit.socket. The man page does NOT mention a config file to place any listen address for binding!

The man cockpit-ws states a command-line option --address xxx. However, it states “Usually Cockpit is started on demand by systemd socket activation, and this option has no effect. In that case, update the ListenStream directive in the cockpit.socket file in the usual systemd manner”.
And the spec for this directive is not simple. Currently in the installed file it is simply “9090” without any address spec.

Therefore it appears that the system service file that manages cockpit is the ONLY place to limit the listen address by expanding/changing the ListenStream there.

This raises another question: If one edits the aforementioned service file (for the IP or port 9090 for instance) how is the port 80 http allstar jump off page get encoded where the link is encoded in the left-hand image “Web Admin Portal” of https://:9090 ??

I supposed one can just forget the port 80 http page and disable it if one wants the cockpit to come up on http://127.1:9090 or http://127.1:9091, etc… Note- I hope I can just use http because I don’t need https because this will be behind a SSH tunnel.

regards
oldunixguy

Your original question was about Allmon3 not Cockpit. I am not clear now what yiu are really trying to do?

So I went back and re-read this thread and I think there’s some clarifying needed here for this issue and for anyone who stumbles across this thread.

Regarding the web landing page and links, there are three major web-based components at play here. Using the example hostname node63001.local:

  • https://node63001.local is controlled by Apache 2 configuration located in /etc/apache2 and follow standard Apache/Debian configuration conventions.

  • https://node63001.local/allmon3 is the front end to Allmon3 that, from a networking and URL pattern perspective, is configured in Apache 2 as listed above. The look and feel configuration is contained in various parts of /etc/allmon3.

  • The back end part of Allmon3 that listens on TCP/16080 and TCP/167nn is controlled by the configuration. Specifically to what your original question sounded like, /etc/allmon3/web.ini and the WS_BIND_ADDR parameter in particular is only for these listeners for Allmon3.

  • https://node63001.local:9090 is the Cockpit administrative service. It is configured via the various configuration files at /etc/cockpit. The port specifically is configured in the cockpit.socket systemd unit. Do not change the port or the netwok configurations of Cockpit because other parts of the ASL3 appliance have expectations for what’s the “right” configuration and things will break now or in the future.

If you are trying to limit inbound access to a service on your appliance, use firewall rules in Cockpit to do it, not changing port binding configurations. Also stripping off TLS/HTTPS configuration isn’t supported and the ASL3 packages will likely forcibly put it back.

This is why I referred to port 9090 as allstarlink: when I got to that web page port up comes the login page for AllstarLink! Nothing here about Cockpit.
regards
oldunixguy

That is the login page for Cockpit. It doesn't say so because of the ASL custom page. You want to connect to port 80 (http) or 443 (https).

Ahhh - got bit by "branding"... the graphic on that page says "AllStar Link" because by default many will not use allmon... but that is the Cockpit login page as others have noted. The graphic is simply someone's idea of branding it for new folks...

(Cockpit is a generic tool available outside of the ASL world, and usually a "company logo" or similar goes there.)

To get to allmon3, using the IP from your screenshot, go to https://10.0.0.51/allmon3 -- if you IP changes, of course use the current address.)

If your username is accurate, you'll understand what's going on if described this way...

Cockpit runs it's own web stuff and listens on its own port. It's a standalone daemon I believe...

Allmon is simply a directory of "code" that's installed underneath an already configured Apache (just copy it into the main directory being handled by the Apache config and request the sub directory when accessing via a URL) -- which is handling the webserver chores on its standard ports.

(Apache ports can be changed in the Apache config if one is so inclined, but there's really no significant reason to do so... standard Apache config things would apply...)

Helpful description?

The graphic made you say you were on an "AllStar Link" page, confusing helpers... kinda to be expected, I guess... Grin... which is why screenshots are often important...

Cheers,
Nate WY0X
(Also an old unix and linux guy who can see where the confusion started on this one... hahaha...)

Thanks Nate and Chuck! It is clear now!
oldunixguy (rich painter)