SSL Redirection 5.2.3

[mikew]

Thanks ssax, I have used the code you provided to solve the issue on one XI server. I am going to build out several more as a way to verify. I like the idea of working with httpd.conf as there are less variables than if I used nagiosxi.conf in the /etc/httpd/conf.d directory as that may get changed on updates.

I will post the solution that I use so that others can benefit...hopefully by Monday.

[mikew]

Below are the directions that I used to install 5 Nagios XI servers in a row to test and use the SSL connection. This seems to work with no issues and is as simple as you can get.



Encrypted Logins
You do have a few requirements for installation.

Code: Select all

yum install -y mod_ssl

Create a Self-Signed Certificate
OpenSSL should be installed on the server as this will be used to create the keys. Create a RSA private key for the server:

Code: Select all

  cd
	openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2046 bit long modulus
Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

Code: Select all

openssl rsa -noout -text -in server.key

Enter pass phrase for server.key:

Create a Certificate Signing Request with the server’s RSA private key

Code: Select all

openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Montana
Locality Name (eg, city) [Newbury]:Trout Creek
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ns.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Mu75Rdes43
An optional company name []:

Code: Select all

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok
subject=/C=US/ST=Montana/L=Trout Creek/O=My Company/CN=ns.example.com/emailAddress=[email protected] Getting Private key
Enter pass phrase for server.key:

Code: Select all

cp server.crt /etc/pki/tls/certs/
	cp server.key /etc/pki/tls/private/
	cp server.csr /etc/pki/tls/private/

Now edit the /etc/httpd/conf.d/ssl.conf file and verify these lines with paths exist.

Code: Select all

SSLCertificateFile		/etc/pki/tls/certs/server.crt
SSLCertificateKeyFile		/etc/pki/tls/private/server.key

Change the permissions:

Code: Select all

chmod go-rwx /etc/pki/tls/certs/server.crt
	chmod go-rwx /etc/pki/tls/private/server.key

Remove the key passphrase so you do not have to be present for restart.

Code: Select all

openssl rsa -in server.key -out /etc/pki/tls/private/server.key

###########################################
Edit /etc/httpd/conf/httpd.conf
###########################################
Place this text at the end of the file.

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

###########################################
Edit /usr/local/nagiosxi/html/config.inc.php
###########################################
Change the false to true so it looks like this:

// force http/https

Code: Select all

$cfg['use_https'] = true;

###########################################
Edit Admin/System Config/System Settings
###########################################

Change the Program URL: to https

###########################################
Edit Configure/Core Config Manager/Config Manager Admin/Config Manager Settings
###########################################
Modify the Config Manager Settings:

Proceed to Config/Core Config Manager/Config Manager Admin/ Config Manager Settings. Before making changes, alter the permissions on the file to modify with:
chown apache:nagios /var/www/html/nagiosql/config/settings.php

In the XI interface choose Configure/Core Config Manager/Config Manager Admin/Config Manager Settings. Then select the "Server Protocol" and make it HTTPS.

Restart apache with:

Code: Select all

service httpd restart 

When you access a self-signed certificate some browsers will indicate a problem. This is just because it is not an official certificate, the security is still fine. Here is an example with Chrome.

[WillemDH]

Mike,

Thanks for your nice procedure. We are however using our own PKI, so I have a SHA256 certificate issues by our intermediate CA. I'm already past setting up the certificates. Everything works fine when using HTTPS. Everything works fine when using HTTP. The problem I'm having is I can't make te permanent redirect which is offered as the solution in the Nagios XI documentation to work.

EDIT: I was testing with "http://nagiosserver" which is not being redirected to HTTPS. The moment you click on "Access Nagios XI" it is being redirected to SSL though. But as we would like to put everything behind SSL, + we want user making use of the Nagios server shortname to be redirected immediately to the fqdn, I made this adjustment which works every time for me:

Code: Select all

<VirtualHost *:80>
        Redirect permanent / https://nagiosserver.domain.name/
        <Directory "/usr/local/nagiosxi/html">
                Options None
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
        <IfModule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteCond %{REQUEST_FILENAME} !-d
                RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
        </IfModule>
</VirtualHost>
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/nagiosserver_2016_sha256.crt
        SSLCertificateKeyFile /etc/pki/tls/private/nagiosserver_2016_sha256.key
        ErrorLog  /var/log/httpd/ssl_error_log
        CustomLog /var/log/httpd/ssl_access_log combined
        <Directory "/usr/local/nagiosxi/html">
                AllowOverride All
        </Directory>
        <IfModule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteCond %{REQUEST_FILENAME} !-d
                RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
        </IfModule>
</VirtualHost>

Alias /nagiosxi "/usr/local/nagiosxi/html"

The redirect should be set before the directory directive, This method does not need to the rewrite in httpd.conf. I will test this on my production server next week.

Grtz

[mikew]

So in my solution I did not touch nagiosxi.conf, I left it as the default install. Again, my fear is that file would be modified potentially on upgrade.

[tmcdonald]

@WillemDH please let us know how this works out for you, and by all means if you or @mikew need anything please let us know!

[Box293]

So in my solution I did not touch nagiosxi.conf, I left it as the default install. Again, my fear is that file would be modified potentially on upgrade.

Mike,
I tested your solution and it seems to do all the HTTP -> HTTPS redirection. Even when I go to http://xiserver/nagios (not nagiosxi) I get the HTTPS redirection.

Am I correct that is what is going on? Is it just that simple?

[WillemDH]

For me setting

Code: Select all

<VirtualHost *:80>
        Redirect permanent / https://nagiosserver.domain.name/

In nagiosxi.conf works better then adding

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

to ssl.conf

Why?

Because when using certs from pki, the redirect need to be done to the fqdn of the host. Otherwise you will get certificate errros as the certificate name does not match the url. Unless you guys can provide me a better rewrite rule which does in fact rewrite the url to the fqdn instead of the hostname used in the url, it is my opinion Mike's solution is not optimal in all settings.

As I can't give you example for Nagios, as I prefer not to change anything there for now I'd like to give our NLS as an example.

With this solution in ssl.conf of an NLS node:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

the following works:

http://naglog.domain will be redirected to https://naglog.domain/nagioslogserver/login?redirect=

But this will generate cert error:

http://naglog will be redirected to https://naglog/nagioslogserver/login?redirect=

As the cert is made for naglog.domain....

By setting:

Code: Select all

<VirtualHost *:80>
        Redirect permanent / https://nagiosserver.domain.name/

All url's, also user who use shortname will be redirected to https fqdn. I'm just trying to come to the overall best solution, not only the one who works for sefl-signed certs. If someone thinks there is a way to make it work with a rewrite in ssl.conf and redirect to https://fqdn I'm willing to test this.

So for NLS, this is the nagioslogserv.conf I'm using atm:

Code: Select all

<VirtualHost *:80>
    Redirect permanent / https://logserver.domain/
    <Directory "/var/www/html/nagioslogserver/www/">
    #   SSLRequireSSL
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
</VirtualHost>

RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]

Alias /nagioslogserver "/var/www/html/nagioslogserver/www/"

Which works in all cases, countrary to the rewrite in ssl.conf solution.

Grtz

Willem

[scottwilkerson]

Both mikew and WillemDH preferences seem acceptable to me.

Different users/organizations are going to have their own prefered methods, which may or may not differ from the documentation we provide as an example of one way to accomplish the goal.

This really comes down to system administration, and how your organization prefers the task to be accomplished.

In some cases making the redirection in httpd.conf may not be preferable because you may have multiple VirtualHosts running on the same server, that have a mix of SSL/non-SSL connection.

On the flip side, mikew's approach has merit where all of the changes are happening outside of the nagiosxi.conf, which at the very least may need modification by our upgrade script to add additional functionality.

[WillemDH]

Thanks for sharing your opinion Scott. I totally agree different situations require different setups. This can be closed for me if it's ok for Mike.

[lmiltchev]

Mike, is it safe to lock this thread?