Nagios behind loadbalancer doing SSL off loading = XSS issue

[fmpub]

Here is our Setup.

Running F5 LTM load balancers, which are doing SSL off loading on the front end, to a non-ssl nagios install on the back-end. EG: user acceses https://nagios.mycompany Load balancer does all the SSL and the request goes to the server across the local backend unencrypted to port 80.

Problem all the Ajax elements are causing the browsers to think they are dealing with a cross site scripting situation since nagiosxi sends back http url's and the load balancer redirects to https. So I am unable to use XI from the frontend as 90% of it wont load.

How can this be fixed? for security reasons we need SSL nagiosXI I see a few solutions:

1) I need to be able to turn on SSL for XI and run my XI server on 443
2) I need to optionally just get XI to send back URI formatted as https and let my load balancer continue to off load the SSL on the front end.

Regardless this needs to be a nagios supported solution, I am not willing to Swiss cheese my XI install in a way that will prevent, hinder or complicated my upgrade process.

[mguthrie]

We had another customer document how to configure XI to use SSL with certificates. See if this is what you need.

http://support.nagios.com/forum/viewtopic.php?f=9&t=125

[mmestnik]

Can't the BigIP inject the missing 'S'? If the BigIP won't then I suggest using something like Privoxy.

We may make some changes in the future to change the way NagiosXI handles SSL.

[fmpub]

mgunthrie - I need to take a look at that post and evaluate the changes that were made to SSL XI. I am not willing to fork my XI to an unsupported build, I am not willing to put our install into a state where we will need to manage a significant set of manual changes to XI's code base making support for the product and upgrading it difficult. We are enterprise customers for a reason.

[fmpub]

mmestnik - we have a rule in place that says to redirect any requests for http to https. in the case of the AJAX it looks like the browser doesn't like being told to go to one place and then ending up in a different place. I am looking at the possibility of rewriting the outgoing request so that the browser only ever gets a https URI. But it would have been far simpler if XI supported SSL naively.

[mmestnik]

I can see how for your situation using HTTPS initially would have been a benefit, however it would have added extra complications to the majority of users who would never expose XI outside of a single room/datacenter.

I'm a fan of encryption, but NagiosXI was designed to be usable for a single intended purpose.