** RESOLVED ** Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

** RESOLVED ** Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by amdjml »

Hi All,

I have a nagios server that runs on "http://servername/nagios/". I am using Ubuntu 18.04 LTS with Apache for the web server and I'd like to enable HTTPS for the web GUI. Here is what I have done so far:

1. Obtained a valid certificate
2. Configured Apache for SSL and enabled the default-ssl config file

When I go to "https://servername/nagios/", nothing loads. Apache & nagios logs not reporting any errors. I can see the nagios favicon on my browser but not content in the body of the browser.

There are 3 config files for apache in "/etc/apache2/sites-available/" and "/etc/apache2/sites-enabled" and they are:

000-default.conf
default-ssl.conf
nagios.conf

I have searched the web extensively and by my surprise, there aren't many articles with this topic available on the internet. Any help or guidance is greatly appreciated.
Last edited by amdjml on Mon Aug 20, 2018 11:37 am, edited 1 time in total.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by scottwilkerson »

Can you share these files?

Code: Select all

000-default.conf
default-ssl.conf
nagios.conf
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by amdjml »

Hi,

Yes.

000-default.conf

Code: Select all

<VirtualHost *:80>
	
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	#RewriteEngine On
	#RewriteCond %{HTTPS} off
	#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>
default-ssl.conf

Code: Select all

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin admin@example.com
                ServerName  example.com

                DocumentRoot /var/www/html/


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/private/certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key

                SSLCertificateChainFile /etc/ssl/private/chain.crt

                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder On
                #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
                Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
                Header always set X-Frame-Options DENY
                Header always set X-Content-Type-Options nosniff
                # Requires Apache >= 2.4
                SSLCompression off
                # SSLUseStapling on
                # SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
                # Requires Apache >= 2.4.11
                SSLSessionTickets Off

                SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparam.pem"

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
        </VirtualHost>
</IfModule>
and, nagios.conf

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
#     Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   SSLRequireSSL
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
#     Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by scottwilkerson »

Did you restart apache after making the changes?

Also, can you send the error.log from the apache log directory.

Thanks
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by amdjml »

I have restarted apache:

Code: Select all

sudo systemctl restart apache2.service
There is not much in the error.log file:

Code: Select all

[Sun Aug 19 06:25:01.739427 2018] [mpm_prefork:notice] [pid 1199] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Sun Aug 19 06:25:01.739499 2018] [core:notice] [pid 1199] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 20 06:25:02.014935 2018] [mpm_prefork:notice] [pid 1199] AH00171: Graceful restart requested, doing restart
[Mon Aug 20 06:25:02.075393 2018] [mpm_prefork:notice] [pid 1199] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Mon Aug 20 06:25:02.075423 2018] [core:notice] [pid 1199] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 20 11:35:51.173516 2018] [mpm_prefork:notice] [pid 1199] AH00169: caught SIGTERM, shutting down
[Mon Aug 20 11:35:51.338079 2018] [mpm_prefork:notice] [pid 23227] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Mon Aug 20 11:35:51.338155 2018] [core:notice] [pid 23227] AH00094: Command line: '/usr/sbin/apache
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by scottwilkerson »

If you look at your access.log while trying to connect to the https URL do you see the log entry?
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by amdjml »

Yes, I do:

Code: Select all

10.x.x.x - nagiosadmin [20/Aug/2018:12:12:49 -0400] "GET /nagios/ HTTP/1.1" 200 5794 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

10.x.x.x - nagiosadmin [20/Aug/2018:12:12:49 -0400] "GET /nagios/side.php HTTP/1.1" 200 1555 "https://example.com/nagios/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

10.x.x.x - nagiosadmin [20/Aug/2018:12:12:49 -0400] "GET /nagios/main.php HTTP/1.1" 200 3500 "https://example.com/nagios/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

10.x.x.x - nagiosadmin [20/Aug/2018:12:12:50 -0400] "GET /nagios/images/favicon.ico HTTP/1.1" 200 1270 "https://example.com/nagios/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
... and this is what I see on my browser:
Image
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by amdjml »

I found the solution. I am going to put what I did to resolve this.

In Chrome, I opened the "Inspect" tool and clicked on the "Console" tab and I saw the message below:

Refused to display 'https://example.com/nagios/main.php' in a frame because it set 'X-Frame-Options' to 'deny'.

I then, edited the "default-ssl.conf" file for Apache. The line that needs to be changed (in my case) is:

Code: Select all

Header always set X-Frame-Options DENY
Change it to:

Code: Select all

Header always set X-Frame-Options SAMEORIGIN
Restart apache and you are done :D

Code: Select all

/etc/init.d/apache2 restart
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Core 4.4.1 - Enable HTTPS for Web GUI

Post by scottwilkerson »

Great! closing
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked