Page 1 of 3
How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 2:24 am
by ganeshanrs1983
Could you please help us in how to encrypt just the login portion in Nagios XI. We really want to do as much unencrypted as possible.
Re: How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 10:42 am
by abrist
Could you clarify?
Are you looking to just use SSL for the login and not for the rest of XI?
If so, why? What are the use cases?
Re: How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 1:33 pm
by ganeshanrs1983
Yes. Login data (uname pwd) needs to be secured while the data post login does not. Encrypting the data that is already on a secured network or traversing a VPN adds overhead and slows nagios UI response times for our offshore partners (those using the UI).
Re: How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 1:38 pm
by abrist
Would forcing apache to use ssl for just the login page be acceptable?
Re: How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 2:19 pm
by ganeshanrs1983
Yes it is fine for us.
Re: How to encrypt just the login portion in Nagios XI
Posted: Tue Feb 10, 2015 6:49 pm
by abrist
You can do this with a couple rewrite rules. Add the following lines to the <Directory> statement in the nagios xi vhost file located at:
Note: Not my original idea, shamelessly lifted from:
http://stackoverflow.com/questions/2079 ... t-one-page
Code: Select all
RewriteEngine On
# Turn SSL on for just login
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/login\.php [NC]
RewriteRule ^(.*)$ https://<server>/nagiosxi/$1 [R=301,L]
# Turn SSL off everything but login
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/login\.php [NC]
RewriteRule ^(.*)$ http://<server>/nagiosxi/$1 [R=301,L]
So that the statement resembles:
Code: Select all
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options -Indexes
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# AuthName "Nagios XI"
# AuthType Basic
# AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# Require valid-user
RewriteEngine On
# Turn SSL on for just login
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/login\.php [NC]
RewriteRule ^(.*)$ https://<server>/nagiosxi/$1 [R=301,L]
# Turn SSL off everything but login
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/login\.php [NC]
RewriteRule ^(.*)$ http://<server>/nagiosxi/$1 [R=301,L]
</Directory>
Replace <server> with your server's ip or hostname.
Remember to restart httpd:
EDIT!!!!!:
You may want check to make sure the URI login.php? is also encrypted if you have that capability.
Re: How to encrypt just the login portion in Nagios XI
Posted: Wed Feb 11, 2015 8:07 am
by ganeshanrs1983
Thanks. Do i need to replace any name instead of {SCRIPT_FILENAME} or only i have to provide my hostname for <server> portion.
Re: How to encrypt just the login portion in Nagios XI
Posted: Wed Feb 11, 2015 10:12 am
by abrist
Just hostname/ip for <server>.
Re: How to encrypt just the login portion in Nagios XI
Posted: Wed Feb 11, 2015 12:58 pm
by ganeshanrs1983
Thanks will check and get back to you.
Re: How to encrypt just the login portion in Nagios XI
Posted: Wed Feb 11, 2015 1:03 pm
by abrist
No problem. I am curious if this works for you as it worked fine in my environment. The real question is if the api call to login.php? is encrypted as well as that will include the username and password parameters.