This must appear in one opportunity in 1000, but it happened to me, so I bet it might have just happened to you...
Munin is great, Nginx is great, and SSL is great, but when you mix all of them together, you might get some frustrating behaviour.
If you don't know it already, you can test the results of a Munin plugin on Debian-based systems with the command
sudo munin-run [plugin]For example, if your nginx_status graph in the Munin web interface is empty, you can try
sudo munin-run nginx_statusThe name of the plugin will auto-complete with the TAB key, with any plugin present in /etc/munin/plugins/ In my case, the command gave the following result:
total.value U reading.value U writing.value U waiting.value U"U" in the result above is the equivalent of "Undefined" or "Unavailable". Translation: the plugin can't get its data. If you've got Munin running only for HTTPS (the rest is handled by Varnish, for example), then the first thing is to make sure that the plugin is effectively querying an HTTPS URL managed by Munin, and that the URL, even if tested on the same machine, is the one that matches your SSL certificate. For example: https://www.example.com/nginx_status if your domain is example.com and you have the certificate for that domain. Make sure you have a block like this in your /etc/munin/plugin-conf.d/munin-node file (you can add it at the end):
[nginx*] env.url https://www.example.com/nginx_statusThen reload your munin configuration with
sudo /etc/init.d/munin-node restartSecond, you want to make sure the URL nginx_status is actually managed by Nginx. To do this, check the section "location / { ... }" in your nginx config file (/etc/nginx/sites-available/default, for example) and make sure there is another location block like this one:
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
(change - or copy over - the "allow" property if needed).
In particular, it happens that you need to put the public IP in an "allow" tag in order for munin to work.
This will ensure the URL https://www.example.com/nginx_status actually answers something like this:
Active connections: 1 server accepts handled requests 8723 8723 10497 Reading: 0 Writing: 1 Waiting: 0... Which you can test with lynx or links2 from the same server: lynx https://www.example.com/nginx_status Now (we're not finished yet) you might have all this running, and still an empty munin graph. This is the most tricky part, because it's difficult to get to that conclusion without hacking the code a little bit. Without you noticing, the munin plugin might now be failing because you don't have the IO::Socket::SSL library installed on your computer. I only realized that by adding a die() call in the Perl script of the plugin when getting the answer from Nginx, to see that it was still in encrypted form and contained a message saying I should install this module in order to make SSL readable by Munin. Well, once you know this, it's fairly easy to do:
sudo apt-get install libio-socket-ssl-perl sudo /etc/init.d/munin-node restartYou can try it out with munin-run:
$ sudo munin-run nginx_status total.value 1 reading.value 0 writing.value 1 waiting.value 0Done! If this helped you, please share it.
Comments
Good afternoon. I followed all the steps, but I can not get a result with the command "munin-run" ... only appears the letter U. When I access via browser, I see what is working and what values are being updated. I installed also the suggested package, still does not work. The munin I'm using is 1.4.6 and my system is Ubuntu 12.04. I installed this server a few days. What can it be?
I had no clue what the root of the problem was here, just that the graphs were blank from the moment I moved to HTTPS. I messed around in the nginx and munin configuration files for quite a while before discovering this page. After installing the perl-IO-Socket-SSL package (CentOS 6.5), "munin-run nginx_status" is reporting values again. Thanks for sharing!
One note for CentOS/RedHat users—to install the SSL library, you need to run "sudo yum install 'perl(IO::Socket::SSL)'".