NagiosXI not fully on HTTPS - gives issue on reverse-proxy

snuman · Post by **snuman** » Mon Jan 18, 2021 11:00 am

We are facing the following issue with Nagios opening the website trough the public internet.
NagiosXI is running on one server CentOS 7.4 on Apache httpd. This is internal network. On another server we've Caddy configured as reverse proxy.

configuration reverse proxy

Code: Select all

nagios.REPLACED.com:443 {
    reverse_proxy https://10.0.0.45 {
         transport http {
             tls
         }
    }
}

every site works trough the reverse proxy except NagiosXI. We can open the landing page but the moment we click on "login" we get a jumbled up page. (see attachment)
The log of the browser is mentioning the following

Code: Select all

login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure script 'http://nagios.REPLACED.com/nagiosxi/includes/js/jquery/jquery.jscrollpane.min.js'. This request has been blocked; the content must be served over HTTPS.
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure script 'http://nagios.REPLACED.com/nagiosxi/includes/dashlets/gauges/js/gauge.js'. This request has been blocked; the content must be served over HTTPS.
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure script 'http://nagios.REPLACED.com/nagiosxi/includes/components/favorites/favorites_head.js'. This request has been blocked; the content must be served over HTTPS.
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure script 'http://nagios.REPLACED.com/nagiosxi/includes/components/graphexplorer/includes/graphexplorerinclude.js'. This request has been blocked; the content must be served over HTTPS.
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure script 'http://nagios.REPLACED.com/nagiosxi/includes/components/helpsystem/js/helpsysteminclude.js?2.0.1'. This request has been blocked; the content must be served over HTTPS.
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:201 Uncaught ReferenceError: check_for_mobile is not defined
    at login.php?redirect=/nagiosxi/index.php%3f&noauth=1:201
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:1 Mixed Content: The page at 'https://nagios.REPLACED.com/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1' was loaded over HTTPS, but requested an insecure element 'http://nagios.REPLACED.com/nagiosxi/images/nagios_logo_white_transbg.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:265 Uncaught ReferenceError: $ is not defined
    at login.php?redirect=/nagiosxi/index.php%3f&noauth=1:265
login.php?redirect=/nagiosxi/index.php%3f&noauth=1:353 Uncaught ReferenceError: $ is not defined
    at login.php?redirect=/nagiosxi/index.php%3f&noauth=1:353
"
The issues tab shows 44 affected resources
44 resources
Name	Restriction Status
font-awesome.min.css?1605132984	blocked
jquery-3.5.1.min.js?1605132984	blocked
jquery-migrate-3.0.0.min.js?1605132984	blocked
jquery-migrate-1.4.1.min.js?1605132984	blocked
jquery-ui.custom.min.css?1605132984	blocked
jquery.colorBlend.js	blocked
jquery.timers-1.1.3.js	blocked
jquery-ui-1.12.1.custom.min.js?1605132984	blocked
jquery-ui-timepicker-addon.js?1605132984	blocked
jquery.searchabledropdown.custom.js?1605132984	blocked
bootstrap.3.min.css?1605132984	blocked
bootstrap.3.min.js?1605132984	blocked
spinkit.css?1605132984	blocked
jquery.autocomplete.css	blocked
colorpicker.css	blocked
colorpicker.js	blocked
clipboard.min.js	blocked
core.js?1605132984	blocked
modern.js?1605132984	blocked
commands.js?1605132984	blocked
views.js?1605132984	blocked
dashboards.js?1605132984	blocked
dashlets.js?1605132984	blocked
tables.js?1605132984	blocked
users.js?1605132984	blocked
perfdata.js?1605132984	blocked
wizards.js?1605132984	blocked
base.css?1605132984	blocked
modern.css?1605132984	blocked
highcharts.js?1605132984	blocked
highcharts-more.js?1605132984	blocked
exporting.js?1605132984	blocked
no-data-to-display.js?1605132984	blocked
d3.v3.min.js?1605132984	blocked
jquery.jscrollpane.css	blocked
jquery.jscrollpane.min.js	blocked
gauge.js	blocked
internettrafficreport.css	blocked
rss_dashlet.css	blocked
favorites_head.js	blocked
graphexplorerinclude.js	blocked
helpsystem.css?2.0.1	blocked
helpsysteminclude.js?2.0.1	blocked
nagios_logo_white_transbg.png	automatically upgraded
"

When we do a "curl -kll" the response comes
curl -kll https://nagios.REPLACED.com/nagiosxi
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://nagios.REPLACED.com/nagiosxi/">here</a>.</p>
</body></html>

We followed the Nagios manual on how to setup HTTPS twice, but it seems some items are still HTTP.
(https://support.nagios.com/kb/article/n ... s-595.html)
What steps are required to get the entire nagios upgraded to https?

Screenshot_32 = the jumbled page missing content
Screenshot_33 = correct page we are supposed to see

Moderator's Note: This post has been edited slightly to make it more legible.

snuman · Post by **snuman** » Tue Jan 19, 2021 11:25 am

Does anyone have any idea?

Post by **vtrac** » Tue Jan 19, 2021 3:30 pm

Hi snuman,
The other URL you followed was for "Nagios Core".

Please try the below URL for setting "Nagios XI" HTTPS:
https://assets.nagios.com/downloads/nag ... s%20XI.pdf

Looks like there were a few more files below that need to be updated (based on the pdf above):

Code: Select all

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/nagiosxi.conf
/usr/local/nagiosxi/html/config.inc.php
/usr/local/nagiosxi/html/includes/dashlets/custom-dashlet/custom-dashlet.inc.php

Rv1.png

Regards,
Vinh

snuman · Post by **snuman** » Wed Jan 20, 2021 8:35 am

Dear Vinh,

My bad, we actually followed that pdf. i have attached all 4 files together with a screenshot of the nagios page you mentioned (with our actual domain blanked out)
Looked at it with 3 people here but none have a idea where the issue is.

Post by **vtrac** » Wed Jan 20, 2021 6:03 pm

Hi snuman,
I compared your "nagiosxi.conf" to my and the difference are the "Require all granted" on my:

Code: Select all

# Special configuration to allow .htaccess in custom includes
<Directory "/usr/local/nagiosxi/html/includes/components/custom-includes">
    AllowOverride All
    Options None
   Require all granted
</Directory>

# Special config to deny access to deployment
<Directory "/usr/local/nagiosxi/html/config/deployment">
    AllowOverride All
    Options None
   Require all granted
</Directory>

# Special config to deny access to nocscreen audio uploads
<Directory "/usr/local/nagiosxi/html/sounds">
    AllowOverride All
    Options None
   Require all granted
</Directory>

Regards,
Vinh

Nagios Support Forum

NagiosXI not fully on HTTPS - gives issue on reverse-proxy

NagiosXI not fully on HTTPS - gives issue on reverse-proxy

Re: NagiosXI not fully on HTTPS - gives issue on reverse-pro

Re: NagiosXI not fully on HTTPS - gives issue on reverse-pro

Re: NagiosXI not fully on HTTPS - gives issue on reverse-pro

Re: NagiosXI not fully on HTTPS - gives issue on reverse-pro