Hi all,
I'm trying to figure out if there's a way to restrict users access by source ip.
What I'm supposed to implement is a restriction for admins to login from a remote control site.
A read-only user can login from everywhere (there are around 10 physical location), a admin can login just from 2 specific sites.
The login process is AD integrated.
Do you have any suggestions?
TIA.
Limit users access by source ip
Re: Limit users access by source ip
Built in, there isn't a way to do this. There are two routes I would look at going (depends at the layer you want to block - this is a bit above the scope for what we can provide support, FYI) -
1. A firewall level (not on the XI machine)
2. A firewall level (on the local XI machine)
3. Apache configuration - this will allow you to restrict what IP's access can access x pages.
example (you'll need to test this in conjunction with the LDAP) -
The option I would go with would be #1 if possible, otherwise #2 would work as well.
1. A firewall level (not on the XI machine)
2. A firewall level (on the local XI machine)
3. Apache configuration - this will allow you to restrict what IP's access can access x pages.
example (you'll need to test this in conjunction with the LDAP) -
Code: Select all
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
Former Nagios Employee
Re: Limit users access by source ip
Hi,
sorry for the delay I didn't saw the answer....
the problem is I can't drop connections by IP ..... from the same machine if your a RO user the login is legit, but if your a RW user you can't.
So I need to have a combination of ip and user.
I was looking for a solution with a NGINX as reverse proxy with LDAP AUTH activated ad a sort of simple application (https://www.nginx.com/blog/nginx-plus-a ... ate-users/)
in this way I can control with a reverse proxy rule how you can land on my nagiosxi, but I should modify the login process.... or find a documentation on how to manage NSP
sorry for the delay I didn't saw the answer....
the problem is I can't drop connections by IP ..... from the same machine if your a RO user the login is legit, but if your a RW user you can't.
So I need to have a combination of ip and user.
I was looking for a solution with a NGINX as reverse proxy with LDAP AUTH activated ad a sort of simple application (https://www.nginx.com/blog/nginx-plus-a ... ate-users/)
in this way I can control with a reverse proxy rule how you can land on my nagiosxi, but I should modify the login process.... or find a documentation on how to manage NSP
Re: Limit users access by source ip
Hi,
I posted a reply ... but something went wrong.
Thanks for your answer, none of the solutions can be applied, I've to filter by ip and by login name, I mean if you're a RO user you can login from every station but if you're a RW user you can't.
I was looking to put a layer (https://www.nginx.com/blog/nginx-plus-a ... ate-users/) in beetwen my only proble right now is the NSP code generetad by nagiosxi, if thereis a way to interact with it I can use nginx to authenticate users and than pass a redirect to the login page with a formatted post action (and make a rewrite rule in NGINX to deny access to the login page):
nsp=231733d59da7289caf6d7aef3115b331bbb0bcd37cba5438634553fe5e60f42a&page=auth&debug=&pageopt=login&redirect=%2Fnagiosxi%2Findex.php%3F&username=nagiosadmin&password=u%mypass&loginButton=
Obviously the best way would be to modify the login page to add headers and bypass the intermediate application as for explained in the nginx post.
what do you think?
I posted a reply ... but something went wrong.
Thanks for your answer, none of the solutions can be applied, I've to filter by ip and by login name, I mean if you're a RO user you can login from every station but if you're a RW user you can't.
I was looking to put a layer (https://www.nginx.com/blog/nginx-plus-a ... ate-users/) in beetwen my only proble right now is the NSP code generetad by nagiosxi, if thereis a way to interact with it I can use nginx to authenticate users and than pass a redirect to the login page with a formatted post action (and make a rewrite rule in NGINX to deny access to the login page):
nsp=231733d59da7289caf6d7aef3115b331bbb0bcd37cba5438634553fe5e60f42a&page=auth&debug=&pageopt=login&redirect=%2Fnagiosxi%2Findex.php%3F&username=nagiosadmin&password=u%mypass&loginButton=
Obviously the best way would be to modify the login page to add headers and bypass the intermediate application as for explained in the nginx post.
what do you think?
Re: Limit users access by source ip
This is a bit out of scope for what we generally support. You could use nginx / haproxy / whatever load balancer, and add a simple basic auth front end. From there, specify your different destinations based on the RW / RO structure.
You should be able to create a web socket with PHP (or your language of choice) to then poll the nsp value and then run your own POST for the logic procedure accordingly.
Is there a reason the general login authentication we have built in doesn't work? The account permissions can all be assigned to make someone RO or RW.
You should be able to create a web socket with PHP (or your language of choice) to then poll the nsp value and then run your own POST for the logic procedure accordingly.
Is there a reason the general login authentication we have built in doesn't work? The account permissions can all be assigned to make someone RO or RW.
Former Nagios Employee
Re: Limit users access by source ip
Hi,
your implementation is correct, I just miss the possibility to filter login by ip.
Suppose to have 5 building, your admin can connect just from one with a RW user and not from the other four but from these other buldings all the tech support personel must have the ability to login without problems with their RO users, I don't see a way to accomplish this with the standard implementation (nagiosxi).
Am I wrong?
Cheers,
Cristiano
your implementation is correct, I just miss the possibility to filter login by ip.
Suppose to have 5 building, your admin can connect just from one with a RW user and not from the other four but from these other buldings all the tech support personel must have the ability to login without problems with their RO users, I don't see a way to accomplish this with the standard implementation (nagiosxi).
Am I wrong?
Cheers,
Cristiano
-
avandemore
- Posts: 1597
- Joined: Tue Sep 27, 2016 4:57 pm
Re: Limit users access by source ip
Nagios XI doesn't support permission restrictions based upon IP. You will need to find an external solution or we provide custom development for a fee. If you are interested let me know and I'll get you in touch with the right people.
Or I can file a feature request if you like.
Or I can file a feature request if you like.
Previous Nagios employee