access /server-status without credentials

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guyver1
Posts: 27
Joined: Tue Apr 16, 2019 4:43 am

access /server-status without credentials

Post by Guyver1 »

Hi,

I've just started learning apache so bear with me.

I've successfully configured the /server-status page on our nagios server:
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from x.x.x.x
</Location>

However, it requests credentials whenever you attempt to browse to it which means alot of the nagios plugins for checking apache wont work as a lot of them dont have username/password arguments.

Is there a way in httpd.conf to allow access to /server-status without being forced to enter nagios credentials?
This is so I can configure our other apache web servers /server-status pages and allow nagios to check them without worrying about credential issues.
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: access /server-status without credentials

Post by benjaminsmith »

Hello,

Try setting the apache config as follows. This is working on my test system.

Code: Select all

<Location /server-status>
     SetHandler server-status
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 <IP address Nagios>
</Location>
To test run the following curl command and post the any errors messages.

Code: Select all

curl -k -L -v http://127.0.0.1/server-status
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Guyver1
Posts: 27
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Post by Guyver1 »

ok cheers.

Got this working on my lab at home:

Code: Select all

[root@v-nagios-xi ~]# curl -k -L -v http://192.168.0.214/server-status
* About to connect() to 192.168.0.214 port 80 (#0)
*   Trying 192.168.0.214...
* Connected to 192.168.0.214 (192.168.0.214) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.0.214
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 11 Oct 2019 22:20:32 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< Content-Length: 3016
< Content-Type: text/html; charset=ISO-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 192.168.0.214 (via 192.168.0.214)</h1>

<dl><dt>Server Version: Apache/2.4.6 (CentOS) PHP/5.4.16</dt>
<dt>Server MPM: prefork</dt>
<dt>Server Built: Aug  8 2019 11:41:18
</dt></dl><hr /><dl>
<dt>Current Time: Friday, 11-Oct-2019 23:20:32 BST</dt>
<dt>Restart Time: Friday, 11-Oct-2019 23:19:36 BST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime:  56 seconds</dt>
<dt>Server load: 0.00 0.01 0.05</dt>
<dt>Total accesses: 1 - Total Traffic: 3 kB</dt>
<dt>CPU Usage: u0 s0 cu0 cs0<dt>.0179 requests/sec - 54 B/second - 3072 B/request</dt>
<dt>1 requests currently being processed, 5 idle workers</dt>
</dl><pre>__W___..........................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection, 
"<b><code>S</code></b>" Starting up, 
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply, 
"<b><code>K</code></b>" Keepalive (read), 
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection, 
"<b><code>L</code></b>" Logging, 
"<b><code>G</code></b>" Gracefully finishing,<br /> 
"<b><code>I</code></b>" Idle cleanup of worker, 
"<b><code>.</code></b>" Open slot with no current process<br />
<p />


<table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>

<tr><td><b>0-0</b></td><td>14709</td><td>0/1/1</td><td>_
</td><td>0.00</td><td>38</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.211</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>NULL</td></tr>

<tr><td><b>2-0</b></td><td>14711</td><td>0/0/0</td><td><b>W</b>
</td><td>0.00</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.215</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

</table>
 <hr /> <table>
 <tr><th>Srv</th><td>Child Server number - generation</td></tr>
 <tr><th>PID</th><td>OS process ID</td></tr>
 <tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
 <tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
 <tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
 <tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
 <tr><th>Child</th><td>Megabytes transferred this child</td></tr>
 <tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
 </table>
</body></html>
* Connection #0 to host 192.168.0.214 left intact
[root@v-nagios-xi ~]# 


will need to wait until monday now to do the same on the work setup to test
Guyver1
Posts: 27
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Post by Guyver1 »

not working with both the following configurations locally and from my windows managment server:

Code: Select all

 922 <Location /server-status>
 923     SetHandler server-status
 924     Order deny,allow
 925     Deny from all
 926     Allow from 127.0.0.1,xx.xx.102.201
 927 </Location>

Code: Select all

 922 <Location /server-status>
 923     SetHandler server-status
 924     Order deny,allow
 925     Deny from all
 926     Allow from 127.0.0.1,xx.xx.102.201
 927     Require all granted
 928 </Location>

Code: Select all

[root@nagios conf]# curl -k -L -v http://127.0.0.1/server-status
* About to connect() to 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Location: https://nagios.internal.domain/server-status
< Content-Length: 308
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection #0
* Issue another request to this URL: 'https://nagios.internal.domain/server-status'
* About to connect() to nagios.internal.domain port 443 (#0)
*   Trying xx.xx.110.94... connected
* Connected to nagios.internal.domain (xx.xx.110.94) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=nagios.internal.domain,OU=Libr,O=C,L=C,ST=S,C=xx
*       start date: Dec 09 10:10:31 2015 GMT
*       expire date: Dec 08 10:10:31 2017 GMT
*       common name: nagios.internal.domain
*       issuer: CN=Issuing CA 1,DC=internal,DC=xxxx,DC=xx,DC=xx
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: nagios.internal.domain
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 309
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at nagios.internal.domain Port 443</address>
</body></html>
* Closing connection #0
[root@nagios conf]#

scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: access /server-status without credentials

Post by scottwilkerson »

Do you have the same configuration in the SSL config?

I ask because it is redirecting to the SSL version and then failing
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Guyver1
Posts: 27
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Post by Guyver1 »

just added:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1,xx.xx.102.201
Require all granted
</Location>

to the ssl.conf both inside and outside of the <virtualhost> tags and tested both versions and still getting 403 Forbidden. :evil:

annoying
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: access /server-status without credentials

Post by scottwilkerson »

I'm not really sure what to say, you may want to consider consulting an apache forum as the issue you are hitting isn't really Nagios related, but a configuration problem with an external apache config.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Guyver1
Posts: 27
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Post by Guyver1 »

yeah, thanks for your assistance Scott, appreciated.

I have posted on the apache subreddit, but yet to get a response.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: access /server-status without credentials

Post by scottwilkerson »

Guyver1 wrote:yeah, thanks for your assistance Scott, appreciated.

I have posted on the apache subreddit, but yet to get a response.
Good luck!
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked