How to encrypt just the login portion in Nagios XI

[ganeshanrs1983]

Could you please help us in how to encrypt just the login portion in Nagios XI. We really want to do as much unencrypted as possible.

[abrist]

Could you clarify?
Are you looking to just use SSL for the login and not for the rest of XI?
If so, why? What are the use cases?

[ganeshanrs1983]

Yes. Login data (uname pwd) needs to be secured while the data post login does not. Encrypting the data that is already on a secured network or traversing a VPN adds overhead and slows nagios UI response times for our offshore partners (those using the UI).

[abrist]

Would forcing apache to use ssl for just the login page be acceptable?

[ganeshanrs1983]

Yes it is fine for us.

[abrist]

You can do this with a couple rewrite rules. Add the following lines to the <Directory> statement in the nagios xi vhost file located at:

Code: Select all

/etc/httpd/conf.d/nagiosxi.conf

Note: Not my original idea, shamelessly lifted from: http://stackoverflow.com/questions/2079 ... t-one-page

Code: Select all

RewriteEngine On
# Turn SSL on for just login
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/login\.php [NC]
RewriteRule ^(.*)$ https://<server>/nagiosxi/$1 [R=301,L]

# Turn SSL off everything but login
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/login\.php [NC]
RewriteRule ^(.*)$ http://<server>/nagiosxi/$1 [R=301,L]

So that the statement resembles:

Code: Select all

<Directory "/usr/local/nagiosxi/html">
#  SSLRequireSSL
   Options -Indexes
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios XI"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#   Require valid-user

RewriteEngine On
# Turn SSL on for just login
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/login\.php [NC]
RewriteRule ^(.*)$ https://<server>/nagiosxi/$1 [R=301,L]

# Turn SSL off everything but login
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/login\.php [NC]
RewriteRule ^(.*)$ http://<server>/nagiosxi/$1 [R=301,L]

</Directory>

Replace <server> with your server's ip or hostname.

Remember to restart httpd:

Code: Select all

service httpd restart

EDIT!!!!!:

You may want check to make sure the URI login.php? is also encrypted if you have that capability.

[ganeshanrs1983]

Thanks. Do i need to replace any name instead of {SCRIPT_FILENAME} or only i have to provide my hostname for <server> portion.

[abrist]

Just hostname/ip for <server>.

[ganeshanrs1983]

Thanks will check and get back to you.

[abrist]

No problem. I am curious if this works for you as it worked fine in my environment. The real question is if the api call to login.php? is encrypted as well as that will include the username and password parameters.