Nagios 4.0.8 and Apache 2.4.10 / 2.4

[DanielB]

Hi all!

I recently updated the Debian Wheezy server where I was using Nagios Core 4.0.8. After upgrading to Debian Jessie with Apache 2.4.10 I'm having some problems with permissions. When I try access to "Services" and "Hosts" I get the following message:

Code: Select all

It appears as though you do not have permission to view information for any of the hosts you requested...

If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI
and check the authorization options in your CGI configuration file.

The Apache configuration file is as follows:

Code: Select all

<VirtualHost *:443>

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/nagios.crt
SSLCertificateKeyFile /etc/apache2/ssl/nagios.key

Serveradmin webmaster@ws1.freesoftware
Servername nagios.freesoftware

ErrorLog "|/usr/bin/cronolog /space/log/ws1/%Y%m/%Y%m%d_nagios.freesoftware_error.log"

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
 
CustomLog "|/usr/bin/cronolog /space/log/ws1/%Y%m/%Y%m%d_nagios.freesoftware_access.log" combined
ServerSignature On

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   ### DGB - 20150507 ###
   #Order allow,deny
   #Allow from all
   Require all granted
   ### DGB - 20150507 ###
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   ### DGB - 20150507 ###
   #Order allow,deny
   #Allow from all
   Require all granted
   ### DGB - 20150507 ###
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user
</Directory>

</Virtualhost>

In addition to the changes made (DGB - 20150507), should I change something else to avoid this issue?

Thanks in advance.

Best regards,
Daniel

[jdalrymple]

Can you see the status for the hosts in the tactical overview, or do you just have a big pile of zeros?

Is it possible that selinux or apparmor are getting in the way?

[DanielB]

Hi, jdalrymple.

Can you see the status for the hosts in the tactical overview, or do you just have a big pile of zeros?

Yes, I see it all with zeros:

Code: Select all

Hosts
0 Down 	0 Unreachable 	0 Up 	0 Pending
    	  	
Services
0 Critical 	0 Warning 	0 Unknown 	0 Ok 	0 Pending

Is it possible that selinux or apparmor are getting in the way?

I think they are not installed:

Code: Select all

# aptitude search ^selinux
p   selinux-basics                                                      - SELinux basic support
p   selinux-utils                                                       - SELinux utility programs

Code: Select all

# aptitude search ^apparmor
p   apparmor                                                            - User-space parser utility for AppArmor
p   apparmor-docs                                                       - Documentation for AppArmor
p   apparmor-easyprof                                                   - AppArmor easyprof profiling tool
p   apparmor-notify                                                     - AppArmor notification system
p   apparmor-profiles                                                   - Profiles for AppArmor Security policies
p   apparmor-profiles-extra                                             - Extra profiles for AppArmor Security policies
p   apparmor-utils

Thanks for your reply.

Best regards,
Daniel

[jdalrymple]

By all rights - it should work fine then. Are you logging in as nagiosadmin or someone else? If someone else - do they have the rights defined you seek as per the cgi config:

http://nagios.sourceforge.net/docs/nagi ... iauth.html

[DanielB]

Hi, jdalrymple.

I'm logging using "nagiosadmin" like when I used Wheezy before the upgrade.

I do not see any errors in the Apache access logs when trying to access hosts:

Code: Select all

10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 9385 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94556 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1

or services:

Code: Select all

10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 10659 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94418 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"

I do not see at all entries in the error log for the virtualhost.

Thanks for your reply.

Best regards,
Daniel

[ssax]

Please attach your /usr/local/nagios/etc/cgi.cfg

Also, post the output of:

Code: Select all

ls -l /usr/local/nagios/etc/cgi.cfg

[DanielB]

Hi, ssax.

Please attach your /usr/local/nagios/etc/cgi.cfg

Code: Select all

# grep ^[^#] /usr/local/nagios/etc/cgi.cfg
main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_pending_states=1
use_authentication=1
 
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
escape_html_tags=1
host_unreachable_sound=hostdown.wav
host_down_sound=hostdown.wav
service_critical_sound=critical.wav
service_warning_sound=warning.wav
service_unknown_sound=warning.wav
action_url_target=_blank
notes_url_target=_blank
lock_author_names=1

Also, post the output of:

Code: Select all

ls -l /usr/local/nagios/etc/cgi.cfg

Code: Select all

# ls -l /usr/local/nagios/etc/cgi.cfg
-rw-rw-r-- 1 nagios nagios 10453 oct 20  2007 /usr/local/nagios/etc/cgi.cfg

Thanks for your interest.

Best regards,
Daniel

[DanielB]

Hi again.

I do not see any errors in the Apache access logs when trying to access hosts:

Code: Select all

10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 9385 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94556 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1

or services:

Code: Select all

10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 10659 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94418 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"

Seeing again the logs that I had posted, I have noticed it does not say "nagiosadmin" in each entry. Should not saying it instead of the second "-"?

The strange thing is that I'm logged in Apache (2.4.10) using "nagiosadmin".

Best regards,
Daniel

[DanielB]

Seeing again the logs that I had posted, I have noticed it does not say "nagiosadmin" in each entry. Should not saying it instead of the second "-"?

The strange thing is that I'm logged in Apache (2.4.10) using "nagiosadmin".

That detail mentioned in the log took me to do other tests and I discovered that, indeed, I was not logged into Apache as "nagiosadmin". I could corroborate it opening other browsers (Chromium and Konqueror) and seeing that I went directly to the interface of Nagios. The problem was here:

Code: Select all

#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   ### DGB - 20150507 ###
   #Order allow,deny
   #Allow from all
   Require all granted <---------------------------------------------------+
   ### DGB - 20150507 ###                                                  |
   AuthName "Nagios Access"                                                |
   AuthType Basic                                                          |
   AuthUserFile /usr/local/nagios/etc/htpasswd.users                       |
   Require valid-user <----------------------------------------------------+
</Directory>

Apparently, the "Require all granted" equivalent to "Order allow, deny / Allow from all" on Apache 2.2 was creating a conflict with the "Require" below. Then, commenting on the "Require all granted", I do got to the Apache authentication window and I saw the hosts and services. But the problem is that access is possible from any network. Then the final configuration is as follows:

Code: Select all

(...)

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   <RequireAll>
      ### DGB - 20150507 ###
      #Order allow,deny
      #Allow from all
      Require all granted
      ### DGB - 20150507 ###
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </RequireAll>
</Directory>

(...)

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   <RequireAll>
      ### DGB - 20150507 ###
      #Order allow,deny
      #Allow from all
      Require all granted
      ### DGB - 20150507 ###
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </RequireAll>
</Directory>

And, of course, now the log entries show the "nagiosadmin" user:

Code: Select all

10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_first2.png HTTP/1.1" 304 193 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_prev2.png HTTP/1.1" 304 192 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_last2.png HTTP/1.1" 304 193 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_next2.png HTTP/1.1" 304 192 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"

I think it would be good to document this Apache 2.4 configuration for use in the next version of Nagios Core.

I hope you find it useful.

Best regards,
Daniel

[DanielB]

Being generalists, I think we could use something like the following (not tested):

Code: Select all

(...)

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>

(...)

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>

Best regards,
Daniel