Install Nginx
yum install -y nginx
Enable and start the service to ensure it starts when the system reboots
systemctl start nginx
systemctl enable nginx
This example assumes you have your own certificates already. You should make sure you change the paths to match your setup.
Replace YourOwnCertFile.crt
and
YourOwnCertFile.key
with the names of the files holding
your certificate (.crt
) and private key
(.key
).
/etc/nginx/conf.d/cacti.conf
# Advanced config for NGINX
#server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
# Redirect all HTTP traffic to HTTPS
server {
listen 80;
server_name cacti.yourdomain.com; #No one likes unencrypted web servers
#return 301 https://$host$request_uri; # some nginx do not support 'return';
}
# SSL configuration
server {
listen 443 ssl default deferred;
server_name cacti.yourdomain.com;
root /usr/share/nginx/html/cacti;
index index.php index.html index.htm;
# Compression increases performance0
gzip on;
gzip_types text/plain text/html text/xml text/css application/xml application/javascript application/x-javascript application/rss+xml application/xhtml+xml;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
location / {
try_files $uri $uri/ /index.php$query_string;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html/;
}
location ~ \.php$ {
alias /usr/share/nginx/html/cacti;
index index.php
try_files $uri $uri/ =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# you may have to change the path here for your OS
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location /cacti {
root /usr/share/nginx/html/;
index index.php index.html index.htm;
location ~ ^/cacti/(.+\.php)$ {
try_files $uri =404;
root /usr/share/nginx/html;
# you may have to change the path here for your OS
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~* ^/cacti/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
expires max;
log_not_found off;
}
}
location /doc/ {
alias /usr/share/nginx/html/cacti/doc/;
location ~* ^/docs/(.+\.(html|md|txt))$ {
root /usr/share/nginx/html/cacti/;
autoindex on;
allow 127.0.0.1; # Change this to allow your local networks
allow ::1;
deny all;
}
}
location /cacti/rra/ {
deny all;
}
## Access and error logs.
access_log /var/log/nginx/cacti_access.log;
error_log /var/log/nginx/cacti_error.log info;
ssl_certificate /etc/ssl/certs/YourOwnCertFile.crt;
ssl_certificate_key /etc/ssl/private/YourOwnCertKey.key;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
#ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE cipher suites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
}
The choice between MySQL server and MariaDB is normally down to the OS maintainers if you use one of the predefined LAMP setup installations. If you are deciding between these yourself, you should research this via your favorite search engine.
Whilst MySQL is the original open source SQL database server created in 1995 which is now owned by Oracle, MariaDB is designed as a drop-in replacement by some of the original MySQL developers / owners. This will likely continue to be a drop-in alternative until there is a major divergence that can not be bridged.
Install MySQL server
yum install -y mysql mysql-server
Enable and start the service to ensure it starts when the system reboots
systemctl enable mysqld
systemctl start mysqld
Install MariaDB server
yum install -y MariaDB-server MariaDB-client
Enable and start the service to ensure it starts when the system reboots
systemctl enable mariadb
systemctl start mariadb
IMPORTANT: Secure your MySQL installation before doing any more changes
/usr/bin/mysql_secure_installation
The following MySQL/MariaDB recommendations may vary depending on your system setup. In any case, Cacti will prompt you with more accurate recommendations during the installation.
Edit your server.cnf file
vim /etc/my.cnf.d/server.cnf
The following [mysqld]
section is a base configuration.
The installer will provide recommendations based on the actual system
which will be more tailored to your environment.
[mysqld]
character-set-server=utf8mb4
collation-server=utf8mb4_unicode_ci
max_allowed_packet=18M
max_heap_table_size=98M
tmp_table_size=64M
join_buffer_size=64M
innodb_buffer_pool_size=488M
innodb_doublewrite=OFF
innodb_flush_log_at_timeout=3
innodb_read_io_threads=32
innodb_write_io_threads=16
log-error = /var/log/mysql/mysql-error.log
log-queries-not-using-indexes = 1
slow-query-log = 1
slow-query-log-file = /var/log/mysql/mysql-slow.log
Restart MySQL/MariaDB service to pick up the changes
systemctl restart mysql
Populate timezone table with available timezones
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
Login to MySQL/MariaDB as root to create Cacti database
# mysql -u root -p
MariaDB [(none)]> create database if not exists cacti;
Query OK, 1 row affected (0.00 sec)
Import Cacti database from SQL file
none)]> use cacti;
MariaDB [(Database changed
> source /var/www/html/cacti/cacti.sql MariaDB [(cacti)]
Grant Cacti username access to Cacti database. Replace
your_cacti_username
and your_cacti_password
with your own details.
none)]> GRANT ALL PRIVILEGES ON cacti.* TO 'your_cacti_username'@'localhost' IDENTIFIED BY
MariaDB [('your_cacti_password';
Query OK, 0 rows affected (0.00 sec)
Grant cacti username to MySQL timezone table
none)]> GRANT SELECT ON mysql.time_zone_name TO 'cacti'@'localhost';
MariaDB [(Query OK, 0 rows affected (0.00 sec)
none)]> FLUSH PRIVILEGES;
MariaDB [(Query OK, 0 rows affected (0.00 sec)
Save the Database Charset and Collation
none)]> ALTER DATABASE cacti CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(
PHP and various packages are all required by Cacti for successful operation
Install PHP and required packages.
yum install -y php php-common php-bcmath php-cli \
php-mysqlnd php-gd php-gmp php-intl \
php-json php-ldap php-mbstring \
php-pdo php-pear php-snmp php-process \
php-xml php-zip php-fpm
Note: php-fpm is only required if your Web Server is Nginx
Set a timezone to your PHP.INI configuration
Edit php.ini, typically located at /etc/php.ini
date.timezone = Pacific/Auckland
Disable insecure cgi.fix_pathinfo
cgi.fix_pathinfo=0
Enable and start the service to ensure it starts when the system reboots
systemctl start php-fpm
systemctl enable php-fpm
Edit /etc/php-fpm.d/www.conf
Find listen = 127.0.0.1:9000
and add the following line
below
listen = /var/run/php-fpm/php-fpm.sock
Find listen.owner
and listen.group
and set
them to nginx
listen.owner = nginx
listen.group = nginx
Find user and group and set them to nginx
user = nginx
group = nginx
Restart php-fpm to pick up the changes
systemctl restart php-fpm
RRDtool is required to store the data retrieved from devices in
.rra
files to produce the graphs which are shown within
Cacti
yum install -y rrdtool
SNMP is used to query most devices for information.
yum install -y net-snmp net-snmp-utils
echo "rocommunity public" > /etc/snmp/snmpd.conf
systemctl enable snmpd
systemctl start snmpd
The following steps will show you how to manually download, install and configure the basics for Cacti.
Download Cacti source code from Cacti Web Site
cd /tmp
wget https://www.cacti.net/downloads/cacti-1.y.z.tar.gz
tar -zxvf cacti-1.y.z.tar.gz
mv -v cacti-1.y.z /usr/share/nginx/html/cacti
Edit the config.php file
mv -v /usr/share/nginx/html/cacti/include/config.php-dist /usr/share/nginx/html/cacti/include/config.php
Update database_ fields with your own details. This section only applies to the Main Cacti Server
$database_type = 'mysql';
$database_default = 'your_cacti_database';
$database_hostname = 'localhost';
$database_username = 'your_cacti_username';
$database_password = 'your_cacti_password';
$database_port = '3306';
$database_ssl = false;
$database_ssl_key = '';
$database_ssl_cert = '';
$database_ssl_ca = '';
Set your cookie domain to match your web site domain name
$cacti_cookie_domain = 'cacti.yourdomain.com';
Create your cron task file or systemd units file
Starting with Cacti 1.2.16, you have the option to use either the legacy Crontab entry, or an optional cactid units file and server to run your Cacti pollers.
For Crontab use, follow the instructions below:
Create and edit /etc/cron.d/cacti
file. Make sure to
setup the correct path to poller.php
*/5 * * * * nginx php /var/www/html/cacti/poller.php &>/dev/null
For systemd unit's file install, you will need to modify the included units file to following your install location and desired user and group's to run the Cacti poller as. To complete the task, follow the procedure below:
vim /var/www/html/cacti/service/cactid.service (edit the path)
touch /etc/sysconfig/cactid
cp -p /var/www/html/cacti/service/cactid.service /etc/systemd/system
systemctl enable cactid
systemctl start cactid
systemctl status cactid
The systemd units file makes managing a highly available Cacti setup a bit more convenient.
Install the necessary packages to compile and install spine
yum install -y autoconf automake libtool dos2unix help2man \
openssl-devel mariadb-devel net-snmp-devel
Download spine source code from Cacti Web Site
Go to /tmp to download the source code and extract it
cd /tmp
wget https://www.cacti.net/downloads/spine/cacti-spine-1.y.z.tar.gz
tar -zxvf cacti-spine-1.y.z.tar.gz
cd cacti-spine-1.y.z
Run the configure script and compile spine.
# ./configure
# make & make install
config/install-sh -c -d '/usr/local/spine/bin'
/bin/sh ./libtool --mode=install /usr/bin/install -c spine '/usr/local/spine/bin'
libtool: install: /usr/bin/install -c spine /usr/local/spine/bin/spine
config/install-sh -c -d '/usr/local/spine/etc' /usr/bin/install -c -m 644 spine.conf.dist '/usr/local/spine/etc' config/install-sh -c -d '/usr/local/spine/share/man/man1' /usr/bin/install -c -m 644 spine.1 '/usr/local/spine/share/man/man1'
4. Edit spine.conf
Rename spine.conf.dist to spine.conf
```console
mv -v /usr/local/spine/etc/spine.conf.dist /usr/local/spine/etc/spine.conf
vi /usr/local/spine/etc/spine.conf
Now set up your database connection
DB_Host localhost
DB_Database your_cacti_database
DB_User your_cacti_username
DB_Pass your_cacti_password
DB_Port 3306
#DB_UseSSL 0
#RDB_SSL_Key
#RDB_SSL_Cert
#RDB_SSL_CA
If you are having issues to access the web page, disable SELinux temporarily to prove that the issues come from the SELinux policy. It is NOT recommended to disable SELinux permanently.
CentOS has a lot of documentation on how to make your SELinux policy right.
Check SELinux status
getenforce
Disable SELinux temporarily
setenforce 0
Enable SELinux back
setenforce 1
Note: If you installed Cacti out of
/usr/share/nginx/html
make sure you fix up all SELinux
context and permissions.