Running Cacti frontend on a separate web server

[spiny]

I'd like to give our customers access to their graphs, but I don't want to give them direct access to our NMS server where the Cacti poller runs since we have other sensitive applications running there. Ideally, I'd set up Cacti purely as a frontend on a customer-accessible server, and allow it to query the NMS server to produce the graphs.

Does anyone have such a setup working? I've seen that RRDtool has something called RRD-Server which uses (recommended) tcp port 13900. I have tested this feature and it does work, although it is picky about the path to the RRDs.

It seems that if our customer-accessible web server could speak to RRDtool on port 13900 and mySQL on port 3306, it should be able to work as a frontend. Am I missing anything? Anyone have a hack or should this be a feature request?

-Tom

[rkramer]

why not just nfs the cacti directory on your nms and then set up apache to use the mounted nfs share?

[spiny]

... I should revise my original spec to say that I'd like to minimize the resources used on my NMS server, so as to keep Cacti collecting data smoothly. So, I want to forget about the RRD-Server and try to render the graphs on the customer-accessible server.

Could I nfs the cacti/rra directory, talk to mySQL on port 3306 and run the "customer" Cacti in read-graphs-only mode?

why not just nfs the cacti directory on your nms and then set up apache to use the mounted nfs share?

[Linegod]

Could I nfs the cacti/rra directory, talk to mySQL on port 3306 and run the "customer" Cacti in read-graphs-only mode?

Yes. I have a configuration similar to this, although because of strict firewall policies, I am using an rsync to sync up the rrd files over ssh instead of using an nfs mount (after the initial sync, it only takes a couple of seconds to rsync the rrd files over the network).

Just configure the client account so they can only view the graphs, and you shouldn't have to touch the 'external' web interface at all - although you could remove some of the administration files, if you're paranoid

[spiny]

Thanks for the input. I now have a working configuration that I am happy with. I installed Cacti and RRDTool on my customer-accessible server and removed all Cacti php files except the following:

-rw-r--r-- 1 1000 users 6171 Jul 1 10:45 auth_login.php
-rw-r--r-- 1 1000 users 3423 Jul 1 10:45 graph_image.php
-rw-r--r-- 1 1000 users 10438 Jul 1 10:45 graph.php
-rw-r--r-- 1 1000 users 6318 Jul 1 10:45 graph_settings.php
-rw-r--r-- 1 1000 users 13531 Jul 1 10:45 graph_view.php
-rw-r--r-- 1 1000 users 2271 Jul 1 10:45 index.php
-rw-r--r-- 1 1000 users 1796 Jul 1 10:45 logout.php

I then linked the rra directory from my NMS server to /var/www/html/cact/rra on the customer server, and edited include/config.php to use the mySQL instance running on the NMS server.

I was careful to install RRDTool into the same directory on the customer server so that Cacti could find it.

Also I opened some ports between hosts on the firewall to make sure the two servers could speak to each other: mysql,sunrpc,nfs,642,645,32768,32769,32770.

Now I can set up customer accounts and don't have to worry about the security of my NMS server. The graphs are rendered on the customer server so I needn't worry about taxing the resources Cacti requires.

-Tom

[seveny]

I guess graph exporting is no good solution for you because of the missing auth-system?
--sven