Cacti
diff --git a/‎How-To-SSH-Tunnels.md‎
Lines changed: 75 additions & 41 deletions b/‎How-To-SSH-Tunnels.md‎
Lines changed: 75 additions & 41 deletions
diff --git a/‎Installing-Under-Ubuntu-Debian.md‎
Lines changed: 50 additions & 58 deletions b/‎Installing-Under-Ubuntu-Debian.md‎
Lines changed: 50 additions & 58 deletions
@@ -1,108 +1,142 @@
-# How To Setup SSH Tunnels to graph a remote Unix server
+# How To Set Up SSH Tunnels to Graph a Remote Unix Server
 
-Howto created by `fmangeant` at [Cacti
-Forum](https://forums.cacti.net/viewtopic.php?t=24960)
+Howto created by `fmangeant` at the
+[Cacti Forum](https://forums.cacti.net/viewtopic.php?t=24960)
 
-This HowTo will explain how to use SSH tunnels to graph a Unix server that
-isn't directly reachable by your Cacti server :
+This guide explains how to use SSH tunnels to graph a Unix server that is not
+directly reachable by your Cacti server.
 
 ![Overview](images/device-templates-ssh-tunnel.png)
 
 In this example, the Cacti server can reach the Gateway, which can reach the
 target server.
 
+> **Important — TCP vs UDP**: SSH port forwarding (`-L`) is TCP-only. Standard
+> SNMP uses UDP port 161 and **cannot** be tunneled this way. This guide works
+> only when the target's `snmpd` is explicitly configured to accept TCP
+> transport (as shown below). It is **not** suitable for most network devices
+> (routers, switches, etc.), which support UDP SNMP only. For UDP SNMP across
+> untrusted networks, use a VPN instead.
+
 ## Configuring the SSH tunnel
 
-On Gateway, create a "cactiuser" user :
+On the Gateway, create a `cactiuser` account:
 
 ```console
 # useradd -d /home/cactiuser -m cactiuser
 ```
 
-Then you have to generate SSH keys (without passphrase) :
+Generate an SSH key pair (no passphrase, so the tunnel can start
+unattended). The modern recommendation is ed25519:
 
 ```console
 # su - cactiuser
-$ ssh-keygen -t rsa
-Generating public/private rsa key pair.
-Enter file in which to save the key (/home/cactiuser/.ssh/id_rsa):
+$ ssh-keygen -t ed25519
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/cactiuser/.ssh/id_ed25519):
 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:
-Your identification has been saved in /home/cactiuser/.ssh/id_rsa.
-Your public key has been saved in /home/cactiuser/.ssh/id_rsa.pub.
-The key fingerprint is:
-40:f6:91:a1:2d:d1:46:d4:76:e3:d8:c6:3f:c2:cf:f2 cactiuser@gateway
-```console
+Your identification has been saved in /home/cactiuser/.ssh/id_ed25519.
+Your public key has been saved in /home/cactiuser/.ssh/id_ed25519.pub.
+```
 
-The public key of the "cactiuser" user has then to be authorized as an input key :
+Authorize the public key for login:
 
 ```console
 $ cd $HOME/.ssh
-$ cp -p id_rsa.pub authorized_keys
+$ cp -p id_ed25519.pub authorized_keys
 ```
 
-Finally, create the SSH tunnel :
+Create the SSH tunnel:
 
 ```console
 # su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 cactiuser@localhost"
 ```
 
-This SSH tunnel will forward all packets sent to 192.168.0.2 on TCP port 10000,
-to 192.168.1.2 on port TCP 161.
+This forwards all TCP traffic sent to `192.168.0.2:10000` on the Gateway to
+`192.168.1.2:161` on the target server.
+
+Option summary:
+
+```
+-f  Go to background before executing the command
+-N  Do not execute a remote command
+-g  Allow remote hosts to connect to locally forwarded ports
+-L  Forward the given local port to the given host and port on the remote side
+```
+
+### Making the tunnel persistent (systemd)
+
+On systemd-based hosts (Ubuntu 16.04+, Debian 9+, most current distros),
+`/etc/rc.local` is deprecated and disabled by default. Use a systemd service
+instead.
 
-The options that are used are the following :
+Create `/etc/systemd/system/cacti-ssh-tunnel.service`:
 
-```shell
--f : requests SSH to go to background just before command execution
--N : do not execute a remote command
--g : allows remote hosts to connect to local forwarded ports
--L : specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
+```ini
+[Unit]
+Description=SSH tunnel for Cacti SNMP polling
+After=network.target
+
+[Service]
+User=cactiuser
+ExecStart=/usr/bin/ssh -N -g -L 192.168.0.2:10000:192.168.1.2:161 cactiuser@localhost
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
 ```
 
-You can add this command to `/etc/rc.local`, so it will be executed at boot time.
+Enable and start it:
 
-## Configuring Net-SNMP
+```console
+# systemctl daemon-reload
+# systemctl enable cacti-ssh-tunnel
+# systemctl start cacti-ssh-tunnel
+```
+
+## Configuring Net-SNMP on the target server
 
-By default, the Net-SNMP agent listens on UDP port 161; we'll modify its
-configuration to listen on TCP port 161.
+By default, the Net-SNMP agent listens on **UDP** port 161. For this SSH
+tunnel approach you must configure it to listen on **TCP** port 161 instead.
 
-To do so, use that in `snmpd.conf` on the target server :
+In `snmpd.conf` on the target server:
 
 ```ini
 agentaddress tcp:161
 rocommunity mycommunity
 ```
 
-For a more detailed configuration of snmpd.conf, refer to the
-[Net-SNMP snmpd.conf man page](https://net-snmp.sourceforge.io/docs/man/snmpd.conf.html)
+For a more detailed `snmpd.conf` reference, see the
+[Net-SNMP snmpd.conf man page](https://net-snmp.sourceforge.io/docs/man/snmpd.conf.html).
 
-### Testing the SNMP connectivity
+### Testing SNMP connectivity
 
-From the Gateway host, run this command :
+From the Gateway host:
 
 ```console
 $ snmpwalk -v 1 -c mycommunity tcp:192.168.1.2 sysname
 SNMPv2-MIB::sysName.0 = STRING: target_server
 ```
 
-From the Cacti server, run this command :
+From the Cacti server:
 
 ```console
 $ snmpwalk -v 1 -c mycommunity tcp:192.168.0.2:10000 sysname
 SNMPv2-MIB::sysName.0 = STRING: target_server
 ```
 
-If everything works fine, your host is then ready to be added to Cacti.
-
-If not, review your network configuration (firewall rules, especially).
+If these succeed, the host is ready to be added to Cacti. If not, review
+your firewall rules and verify `snmpd` is listening on TCP.
 
 ## Adding the device to Cacti
 
-In Cacti, create a new device like that :
+In Cacti, create a new device as shown:
 
 ![Add device](images/device-templates-ssh-add-device.png)
 
-Voila ! Your target server is graphed by Cacti :)
+Your target server is now graphed by Cacti.
 
 ---
 Copyright (c) 2004-2026 The Cacti Group
@@ -1,41 +1,49 @@
-# Installing Cacti 1.x  in Ubuntu/Debian LAMP stack
+# Installing Cacti 1.x on Ubuntu/Debian — LAMP Stack
 
-> **Note**: As of Cacti 1.2.31, PHP 8.1 is required and PHP Composer is required. 
-> Composer will be used to ensure all of the libraries are installed and are up to date.
+> **Note**: As of Cacti 1.2.31, PHP 8.1 is required and PHP Composer is required.
+> Composer will be used to ensure all libraries are installed and up to date.
+> PHP 8.1 reached end-of-life in November 2024. Check the
+> [PHP supported versions page](https://www.php.net/supported-versions.php)
+> and substitute the current supported release (e.g. `php8.3`) where appropriate.
 
-## Installing the required packages needed for the LAMP stack
+## Installing the required packages
 
 ```console
 apt-get update
-apt-get install -y apache2 rrdtool mariadb-server snmp snmpd php8.1 php8.1-mysql php8.1-snmp php8.1-xml php8.1-mbstring php8.1-json php8.1-gd php8.1-gmp php8.1-zip php8.1-ldap php8.1-mbstring composer
+apt-get install -y apache2 rrdtool mariadb-server snmp snmpd \
+  php8.3 php8.3-mysql php8.3-snmp php8.3-xml php8.3-mbstring \
+  php8.3-json php8.3-gd php8.3-gmp php8.3-zip php8.3-ldap \
+  php8.3-intl php8.3-curl composer
 ```
 
 ### A special note for systems using PHP-FPM
 
- Prior to starting the setup process of Cacti you should restart the PHP-FPM
- Daemon to rebuild the Cache or you may received a HTTP 500 Error
+Before starting the Cacti setup process, restart the PHP-FPM daemon to rebuild
+its cache, or you may receive an HTTP 500 error.
 
 ```console
 systemctl restart php-fpm
 ```
 
-### A special Note on installing Cacti in LXC Containers such as the ones found on Proxmox
+### A special note on installing Cacti in LXC containers (e.g. Proxmox)
 
-We recommend creating a privileged container. You may need to update your container's config file with
+We recommend creating a privileged container. You may need to update your
+container's config file with:
 
 ```console
 lxc.apparmor.profile: unconfined
 ```
-This will allow for ICMP ping and other functions to work
 
-A tested configuration file like below should be good however tune to your needs/standards
+This allows ICMP ping and other functions to work.
+
+A tested configuration is shown below; tune to your needs and standards.
 
 ```console
 arch: amd64
 cores: 2
 hostname: cacti
 memory: 2048
-net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=mac-id,ip=dhcp,type=v>
+net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=mac-id,ip=dhcp,type=veth
 ostype: ubuntu
 rootfs: local-lvm:vm-110-disk-0,size=8G
 swap: 2048
@@ -44,59 +52,53 @@ lxc.apparmor.profile: unconfined
 
 ### Downloading the Cacti software
 
-Once the OS packages are installed, you will need to download the Cacti files
-you can do this by using the git command
+Once the OS packages are installed, clone the Cacti repository:
 
 ```console
-git clone -b 1.2.x  https://github.com/Cacti/cacti.git
-Cloning into 'cacti'...
-remote: Enumerating objects: 81, done.
-remote: Counting objects: 100% (81/81), done.
-remote: Compressing objects: 100% (55/55), done.
-remote: Total 59936 (delta 40), reused 51 (delta 26), pack-reused 59855&
-Receiving objects: 100% (59936/59936), 76.33 MiB | 1.81 MiB/s, done.
-Resolving deltas: 100% (43598/43598), done.
+git clone -b 1.2.x https://github.com/Cacti/cacti.git
 ```
 
-After cloning the Cacti repository, move the files into the /var/www/html
-directory
+Move the files into the web root:
 
 ```console
 mv cacti /var/www/html
 ```
 
-#### Database Creation
+### Database creation
 
-Next we will create a database for the cacti installation to use
+Create the Cacti database and user:
 
 ```console
 mysql -u root -p
-CREATE DATABASE cacti DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ;
+```
+
+```sql
+CREATE DATABASE cacti CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
 CREATE USER 'cactiuser'@'localhost' IDENTIFIED BY 'cactiuser';
 GRANT ALL ON cacti.* TO 'cactiuser'@'localhost';
 GRANT SELECT ON mysql.time_zone_name TO 'cactiuser'@'localhost';
-ALTER DATABASE cacti CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
 FLUSH PRIVILEGES;
 ```
 
-You will now need to pre-populate the database used by cacti
+> **Security note**: Replace `cactiuser`/`cactiuser` with a strong,
+> unique username and password before using this in production.
+
+Import the default Cacti schema:
 
 ```console
 mysql -u root cacti < /var/www/html/cacti/cacti.sql
 ```
 
-Next, you will need to create the config.php file in /var/www/html/cacti/include
+### Creating the config file
 
 ```console
 cd /var/www/html/cacti/include
 cp config.php.dist config.php
 ```
 
-Now, edit the config.php file and make sure to change the database settings as
-needed to match the below entries (though it is highly recommended to use a
-customised username/password combination for security)
+Edit `config.php` to match your database settings:
 
-```console
+```php
 $database_type     = 'mysql';
 $database_default  = 'cacti';
 $database_hostname = 'localhost';
@@ -108,47 +110,37 @@ $database_ssl      = false;
 $database_ssl_key  = '';
 ```
 
-### Create your cron task file or systemd units file
-
-Starting with Cacti 1.2.16, you have the option to use either the
-legacy Crontab entry, or an optional cactid units file and server
-to run your Cacti pollers.
+### Create your cron task or systemd units file
 
-For Crontab use, follow the instructions below:
+Starting with Cacti 1.2.16, you can use either a legacy crontab entry or the
+optional `cactid` systemd service to run your Cacti pollers.
 
-Create and edit `/etc/cron.d/cacti` file.
-Make sure to setup the correct path to poller.php
+For crontab use, create and edit `/etc/cron.d/cacti`:
 
 ```console
-*/5 * * * * apache php /var/www/html/cacti/poller.php &>/dev/null
+*/5 * * * * www-data php /var/www/html/cacti/poller.php &>/dev/null
 ```
 
-For systemd unit's file install, you will need to modify the
-included units file to following your install location
-and desired user and group's to run the Cacti poller as.
-To complete the task, follow the procedure below:
+For systemd, modify the included units file to reflect your install location
+and the desired user and group, then:
 
 ```console
-vim /var/www/html/cacti/service/cactid.service (edit the path)
+vim /var/www/html/cacti/service/cactid.service
 touch /etc/sysconfig/cactid
 cp -p /var/www/html/cacti/service/cactid.service /etc/systemd/system
 systemctl enable cactid
 systemctl start cactid
 systemctl status cactid
 ```
 
-The systemd units file makes managing a highly available Cacti
-setup a bit more convenient.
-
-The system is now ready to finalise the steps by browsing to
-[http://serverip/cacti](http://serverip/cacti) to start the cacti initialization
-wizard.
+The system is now ready. Browse to
+[http://serverip/cacti](http://serverip/cacti) to start the Cacti
+initialization wizard.
 
-### Considerations when using Proxies in front of Cacti (Cacti 1.2.23+)
+### Considerations when using proxies in front of Cacti (Cacti 1.2.23+)
 
-For optimal security, only specify the HTTP headers that are set by your proxy
-software to prevent unauthorized access.
-These can be set by editing the following section of config.php
+For optimal security, specify only the HTTP headers that your proxy software
+actually sets. Configure this by editing the following section of `config.php`:
 
 ```ini
  * Allow the use of Proxy IPs when searching for client