How to configure allmon3 to listen on specific IP and port and disable ipv6?

Installed entire allstar3 package for Raspberry Pi3:
PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://allstarlink.org”
SUPPORT_URL=“https://community.allstarlink.org”
BUG_REPORT_URL=“xxxx://github.com/AllStarLink/asl3-pi-appliance/”
VARIANT=“AllStarLink System Manager”
VARIANT_ID=“AllStarLink”

I use postfix, ssh, webmin on many remote devices. These programs have config file settings to limit IP binding, listen port selection, disable ipv6, etc.

Where can I find these needed settings for allmon?

thanks
oldunixguy

The ASL3 Raspberry Pi Appliance installs the “apache” web server. You will find the configuration files in the “/etc/apache2” directory.

See /etc/allmon3/web.ini for WS_BIND_ADDR= to limit the binding address. You cannot “disable IPv6” though.

Thanks! … I set it to WS_BIND_ADDR = 127.0.0.1
But after setting this setting in web.ini and rebooting I get this netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:16080 0.0.0.0:* LISTEN 978/python3
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 750/apache2
tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/init

And browsing to https://:9090 does bring up the allmon login page…
It seems this setting is being ignored.

thanks
oldunixguy

Port 9090 is for the Cockpit admin tool. Allmon should be accessible at the the standard webport under /allmon3/. For example http://192.0.2.10/allmon3/.

Adding to (and repeating) what N8EI wrote :

The LISTEN ports you noted are actually from 3 different processes.

• The process listening on port 16080 is Allmon3 and you have already changed the bind address.
• The process listening on port 443 is Apache. As I wrote above, you will find configuration files in the “/etc/apache2” directory.
• The process listening on port 9090 is Cockpit. Check man cockpit.conf and man cockpit-ws.conf for more info.

OK. Then when N8EI said " See /etc/allmon3/web.ini for WS_BIND_ADDR= to limit the binding address" this must be false or there is a bug. As you can see from the netstat after setting WS_BIND_ADDR to the loopback addr port 9090 is STILL listening on ALL addresses!

As for those other ports, they just happened to be shown before the port in question, 9090, and caught up in the screen grab.

Regardless what this component is called, it is the one that is linked from the port 80 http jump off page and explicitly written in the URL with port 9090. And N8EI specifically said the WS_BIND_ADDR in web.ini restricted the program listening on 9090, which was my original question.

I DID check the /etc/apache2/ files and they only dealt with 80 and 443, which I dont care about and did not inquire about.

So, is the failure of setting WS_BIND_ADDR in /etc/allmon3/web.ini WRONGLY defined or a BUG?

In either case, this is important.

/etc/cockpit/cockpit.conf only contain:
[WebService]
LoginTo=false

And the port, which I didn’t inquire about or need to change ironically is far away at /usr/lib/systemd/system/cockpit.socket. The man page does NOT mention a config file to place any listen address for binding!

The man cockpit-ws states a command-line option --address xxx. However, it states “Usually Cockpit is started on demand by systemd socket activation, and this option has no effect. In that case, update the ListenStream directive in the cockpit.socket file in the usual systemd manner”.
And the spec for this directive is not simple. Currently in the installed file it is simply “9090” without any address spec.

Therefore it appears that the system service file that manages cockpit is the ONLY place to limit the listen address by expanding/changing the ListenStream there.

This raises another question: If one edits the aforementioned service file (for the IP or port 9090 for instance) how is the port 80 http allstar jump off page get encoded where the link is encoded in the left-hand image “Web Admin Portal” of https://:9090 ??

I supposed one can just forget the port 80 http page and disable it if one wants the cockpit to come up on http://127.1:9090 or http://127.1:9091, etc… Note- I hope I can just use http because I don’t need https because this will be behind a SSH tunnel.

regards
oldunixguy

Your original question was about Allmon3 not Cockpit. I am not clear now what yiu are really trying to do?

So I went back and re-read this thread and I think there’s some clarifying needed here for this issue and for anyone who stumbles across this thread.

Regarding the web landing page and links, there are three major web-based components at play here. Using the example hostname node63001.local:

• https://node63001.local is controlled by Apache 2 configuration located in /etc/apache2 and follow standard Apache/Debian configuration conventions.

• https://node63001.local/allmon3 is the front end to Allmon3 that, from a networking and URL pattern perspective, is configured in Apache 2 as listed above. The look and feel configuration is contained in various parts of /etc/allmon3.

• The back end part of Allmon3 that listens on TCP/16080 and TCP/167nn is controlled by the configuration. Specifically to what your original question sounded like, /etc/allmon3/web.ini and the WS_BIND_ADDR parameter in particular is only for these listeners for Allmon3.

• https://node63001.local:9090 is the Cockpit administrative service. It is configured via the various configuration files at /etc/cockpit. The port specifically is configured in the cockpit.socket systemd unit. Do not change the port or the netwok configurations of Cockpit because other parts of the ASL3 appliance have expectations for what’s the “right” configuration and things will break now or in the future.

If you are trying to limit inbound access to a service on your appliance, use firewall rules in Cockpit to do it, not changing port binding configurations. Also stripping off TLS/HTTPS configuration isn’t supported and the ASL3 packages will likely forcibly put it back.