Force HTTPs access in NagiosXI 2014R1.2

[lxf4610]

Have a question regarding force HTTPs access in NagiosXI 2014R1.2...I use the following redirection in /etc/httpd/conf.d/nagiosxi.conf and it works for previous NagiosXi 2012 version.

#NameVirtualHost *:443
<VirtualHost *:80>
<Directory "/usr/local/nagiosxi/html">
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

However, after upgrade to 2014 version, this setting bring monitoring engine suspended(turn it off and everything is working). Anyone know how can I address this issue?

[tmcdonald]

Did you set $cfg['use_https']=true; in your /usr/local/nagiosxi/html/config.inc.php file? Also, what is shown on your Admin->Manage System config page for Program URL and External URL? Feel free not to post the whole thing, I am just interested in the http/https bits.

[lxf4610]

Yes, I check the configuration /usr/local/nagiosxi/html/config.inc.php and Manage System Config --> System Config, they all be set to enable HTTPs. In version 2012, I come with the following article to setup HTTPS. http://assets.nagios.com/downloads/nagi ... ios_XI.pdf

The only thing I add is in /etc/httpd/conf.d/nagiosxi.conf, to force redirect HTTP to HTTPs.

RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Then when I upgrade to version 2014, it prompt some errors in one of the steps, something relate to access CCM for localhost but complain doesn't trust for the certificate used by the site. I aware it may related with the redirection I setup. Turn off the HTTP redirection and the upgrade finish without issue. However, when I turn to turn on the HTTP redirection again, the monitoring engine process is not running, like the screenshot below.

[lxf4610]

Here is the error I got during upgrade if the server do HTTP to HTTPs redirection. Turn off redirection bypass the error and finish the upgrade, but experience the issue I mentioned if I turn on the redirection again.

Installing new PNP templates...
Updating init script...
Enabling large install tweaks...
Fixing config file permissions...
Fixing htpasswd permissions...
Checking group memberships...
Installing new XI templates...
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&loginSubmitted=true&username=nagiosxi&password=l533m9' -O nagiosql.login--2014-07-04 03:18:34-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://localhost/nagiosxi/includes/components/ccm/ [following]
--2014-07-04 03:18:34-- https://localhost/nagiosxi/includes/components/ccm/
Connecting to localhost|::1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “/DC=com/DC=ebay/DC=corp/CN=AMER-SSLCA-02â€
Unable to locally verify the issuer’s authority.
WARNING: certificate common name “sjd-vtnag-001.corp.ebay.comâ€localhostâ€
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.loginâ€

[ <=> ] 8,884 --.-K/s in 0s

2014-07-04 03:18:35 (59.2 MB/s) - “nagiosql.loginâ€

NAGIOSQL LOGIN FAILED!

[scottwilkerson]

I know tmcdonald asked this before, but being the one who wrote the code, I cannot understand how you can have the following in /usr/local/nagiosxi/html/config.inc.php and still get this error

Code: Select all

$cfg['use_https']=true;

Can you show the output of running the following

Code: Select all

cat /usr/local/nagiosxi/html/config.inc.php|grep use_https

[lxf4610]

Thanks guys to point out this!

The grep command give me a duplicated entry for $cfg['use_https'], one set to true and one set to false. After remove this, the issue be fixed....

$cfg['use_https']=true;
$cfg['use_https']=false; // determines whether cron jobs and other scripts will force the use of HTTPS instead of HTTP

[tmcdonald]

Closing as solved.