Page 1 of 1
access /server-status without credentials
Posted: Fri Oct 11, 2019 3:25 am
by Guyver1
Hi,
I've just started learning apache so bear with me.
I've successfully configured the /server-status page on our nagios server:
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from x.x.x.x
</Location>
However, it requests credentials whenever you attempt to browse to it which means alot of the nagios plugins for checking apache wont work as a lot of them dont have username/password arguments.
Is there a way in httpd.conf to allow access to /server-status without being forced to enter nagios credentials?
This is so I can configure our other apache web servers /server-status pages and allow nagios to check them without worrying about credential issues.
Re: access /server-status without credentials
Posted: Fri Oct 11, 2019 11:36 am
by benjaminsmith
Hello,
Try setting the apache config as follows. This is working on my test system.
Code: Select all
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 <IP address Nagios>
</Location>
To test run the following curl command and post the any errors messages.
Code: Select all
curl -k -L -v http://127.0.0.1/server-status
Re: access /server-status without credentials
Posted: Fri Oct 11, 2019 5:43 pm
by Guyver1
ok cheers.
Got this working on my lab at home:
Code: Select all
[root@v-nagios-xi ~]# curl -k -L -v http://192.168.0.214/server-status
* About to connect() to 192.168.0.214 port 80 (#0)
* Trying 192.168.0.214...
* Connected to 192.168.0.214 (192.168.0.214) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.0.214
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 11 Oct 2019 22:20:32 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< Content-Length: 3016
< Content-Type: text/html; charset=ISO-8859-1
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 192.168.0.214 (via 192.168.0.214)</h1>
<dl><dt>Server Version: Apache/2.4.6 (CentOS) PHP/5.4.16</dt>
<dt>Server MPM: prefork</dt>
<dt>Server Built: Aug 8 2019 11:41:18
</dt></dl><hr /><dl>
<dt>Current Time: Friday, 11-Oct-2019 23:20:32 BST</dt>
<dt>Restart Time: Friday, 11-Oct-2019 23:19:36 BST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime: 56 seconds</dt>
<dt>Server load: 0.00 0.01 0.05</dt>
<dt>Total accesses: 1 - Total Traffic: 3 kB</dt>
<dt>CPU Usage: u0 s0 cu0 cs0<dt>.0179 requests/sec - 54 B/second - 3072 B/request</dt>
<dt>1 requests currently being processed, 5 idle workers</dt>
</dl><pre>__W___..........................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process<br />
<p />
<table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>
<tr><td><b>0-0</b></td><td>14709</td><td>0/1/1</td><td>_
</td><td>0.00</td><td>38</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.211</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>NULL</td></tr>
<tr><td><b>2-0</b></td><td>14711</td><td>0/0/0</td><td><b>W</b>
</td><td>0.00</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.215</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>GET /server-status HTTP/1.1</td></tr>
</table>
<hr /> <table>
<tr><th>Srv</th><td>Child Server number - generation</td></tr>
<tr><th>PID</th><td>OS process ID</td></tr>
<tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
<tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
<tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
<tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
<tr><th>Child</th><td>Megabytes transferred this child</td></tr>
<tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
</table>
</body></html>
* Connection #0 to host 192.168.0.214 left intact
[root@v-nagios-xi ~]#
will need to wait until monday now to do the same on the work setup to test
Re: access /server-status without credentials
Posted: Mon Oct 14, 2019 5:44 am
by Guyver1
not working with both the following configurations locally and from my windows managment server:
Code: Select all
922 <Location /server-status>
923 SetHandler server-status
924 Order deny,allow
925 Deny from all
926 Allow from 127.0.0.1,xx.xx.102.201
927 </Location>
Code: Select all
922 <Location /server-status>
923 SetHandler server-status
924 Order deny,allow
925 Deny from all
926 Allow from 127.0.0.1,xx.xx.102.201
927 Require all granted
928 </Location>
Code: Select all
[root@nagios conf]# curl -k -L -v http://127.0.0.1/server-status
* About to connect() to 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Location: https://nagios.internal.domain/server-status
< Content-Length: 308
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection #0
* Issue another request to this URL: 'https://nagios.internal.domain/server-status'
* About to connect() to nagios.internal.domain port 443 (#0)
* Trying xx.xx.110.94... connected
* Connected to nagios.internal.domain (xx.xx.110.94) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=nagios.internal.domain,OU=Libr,O=C,L=C,ST=S,C=xx
* start date: Dec 09 10:10:31 2015 GMT
* expire date: Dec 08 10:10:31 2017 GMT
* common name: nagios.internal.domain
* issuer: CN=Issuing CA 1,DC=internal,DC=xxxx,DC=xx,DC=xx
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: nagios.internal.domain
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 309
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at nagios.internal.domain Port 443</address>
</body></html>
* Closing connection #0
[root@nagios conf]#
Re: access /server-status without credentials
Posted: Mon Oct 14, 2019 8:08 am
by scottwilkerson
Do you have the same configuration in the SSL config?
I ask because it is redirecting to the SSL version and then failing
Re: access /server-status without credentials
Posted: Mon Oct 14, 2019 10:54 am
by Guyver1
just added:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1,xx.xx.102.201
Require all granted
</Location>
to the ssl.conf both inside and outside of the <virtualhost> tags and tested both versions and still getting 403 Forbidden.
annoying
Re: access /server-status without credentials
Posted: Mon Oct 14, 2019 11:26 am
by scottwilkerson
I'm not really sure what to say, you may want to consider consulting an apache forum as the issue you are hitting isn't really Nagios related, but a configuration problem with an external apache config.
Re: access /server-status without credentials
Posted: Tue Oct 15, 2019 6:22 am
by Guyver1
yeah, thanks for your assistance Scott, appreciated.
I have posted on the apache subreddit, but yet to get a response.
Re: access /server-status without credentials
Posted: Tue Oct 15, 2019 6:34 am
by scottwilkerson
Guyver1 wrote:yeah, thanks for your assistance Scott, appreciated.
I have posted on the apache subreddit, but yet to get a response.
Good luck!