Page 1 of 2
Nagios 4.0.8 and Apache 2.4.10 / 2.4
Posted: Fri May 08, 2015 8:00 am
by DanielB
Hi all!
I recently updated the Debian Wheezy server where I was using Nagios Core 4.0.8. After upgrading to Debian Jessie with Apache 2.4.10 I'm having some problems with permissions. When I try access to "Services" and "Hosts" I get the following message:
Code: Select all
It appears as though you do not have permission to view information for any of the hosts you requested...
If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI
and check the authorization options in your CGI configuration file.
The Apache configuration file is as follows:
Code: Select all
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/nagios.crt
SSLCertificateKeyFile /etc/apache2/ssl/nagios.key
Serveradmin [email protected]
Servername nagios.freesoftware
ErrorLog "|/usr/bin/cronolog /space/log/ws1/%Y%m/%Y%m%d_nagios.freesoftware_error.log"
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog "|/usr/bin/cronolog /space/log/ws1/%Y%m/%Y%m%d_nagios.freesoftware_access.log" combined
ServerSignature On
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
### DGB - 20150507 ###
#Order allow,deny
#Allow from all
Require all granted
### DGB - 20150507 ###
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
### DGB - 20150507 ###
#Order allow,deny
#Allow from all
Require all granted
### DGB - 20150507 ###
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
</Virtualhost>
In addition to the changes made (DGB - 20150507), should I change something else to avoid this issue?
Thanks in advance.
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 10:57 am
by jdalrymple
Can you see the status for the hosts in the tactical overview, or do you just have a big pile of zeros?
Is it possible that selinux or apparmor are getting in the way?
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 11:40 am
by DanielB
Hi, jdalrymple.
jdalrymple wrote:
Can you see the status for the hosts in the tactical overview, or do you just have a big pile of zeros?
Yes, I see it all with zeros:
Code: Select all
Hosts
0 Down 0 Unreachable 0 Up 0 Pending
Services
0 Critical 0 Warning 0 Unknown 0 Ok 0 Pending
Is it possible that selinux or apparmor are getting in the way?
I think they are not installed:
Code: Select all
# aptitude search ^selinux
p selinux-basics - SELinux basic support
p selinux-utils - SELinux utility programs
Code: Select all
# aptitude search ^apparmor
p apparmor - User-space parser utility for AppArmor
p apparmor-docs - Documentation for AppArmor
p apparmor-easyprof - AppArmor easyprof profiling tool
p apparmor-notify - AppArmor notification system
p apparmor-profiles - Profiles for AppArmor Security policies
p apparmor-profiles-extra - Extra profiles for AppArmor Security policies
p apparmor-utils
Thanks for your reply.
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 12:06 pm
by jdalrymple
By all rights - it should work fine then. Are you logging in as nagiosadmin or someone else? If someone else - do they have the rights defined you seek as per the cgi config:
http://nagios.sourceforge.net/docs/nagi ... iauth.html
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 1:03 pm
by DanielB
Hi, jdalrymple.
I'm logging using "nagiosadmin" like when I used Wheezy before the upgrade.
I do not see any errors in the Apache access logs when trying to access hosts:
Code: Select all
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 9385 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94556 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1
or services:
Code: Select all
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 10659 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94418 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
I do not see at all entries in the error log for the virtualhost.
Thanks for your reply.
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 2:05 pm
by ssax
Please attach your /usr/local/nagios/etc/cgi.cfg
Also, post the output of:
Code: Select all
ls -l /usr/local/nagios/etc/cgi.cfg
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Fri May 08, 2015 2:26 pm
by DanielB
Hi, ssax.
ssax wrote:Please attach your /usr/local/nagios/etc/cgi.cfg
Code: Select all
# grep ^[^#] /usr/local/nagios/etc/cgi.cfg
main_config_file=/usr/local/nagios/etc/nagios.cfg
physical_html_path=/usr/local/nagios/share
url_html_path=/nagios
show_context_help=0
use_pending_states=1
use_authentication=1
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
escape_html_tags=1
host_unreachable_sound=hostdown.wav
host_down_sound=hostdown.wav
service_critical_sound=critical.wav
service_warning_sound=warning.wav
service_unknown_sound=warning.wav
action_url_target=_blank
notes_url_target=_blank
lock_author_names=1
Also, post the output of:
Code: Select all
ls -l /usr/local/nagios/etc/cgi.cfg
Code: Select all
# ls -l /usr/local/nagios/etc/cgi.cfg
-rw-rw-r-- 1 nagios nagios 10453 oct 20 2007 /usr/local/nagios/etc/cgi.cfg
Thanks for your interest.
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Sat May 09, 2015 11:17 am
by DanielB
Hi again.
DanielB wrote:
I do not see any errors in the Apache access logs when trying to access hosts:
Code: Select all
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 9385 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94556 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:54:28 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1
or services:
Code: Select all
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 10659 "https://nagios.freesoftware/nagios/side.php" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/common.css HTTP/1.1" 200 10123 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/stylesheets/status.css HTTP/1.1" 200 7810 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 94418 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
10.1.0.40 - - [08/May/2015:14:55:03 -0300] "GET /nagios/pnp/include/js/prototype.js HTTP/1.1" 200 130485 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.1"
Seeing again the logs that I had posted, I have noticed it does not say "nagiosadmin" in each entry. Should not saying it instead of the second "-"?
The strange thing is that I'm logged in Apache (2.4.10) using "nagiosadmin".
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Sat May 09, 2015 1:00 pm
by DanielB
DanielB wrote:
Seeing again the logs that I had posted, I have noticed it does not say "nagiosadmin" in each entry. Should not saying it instead of the second "-"?
The strange thing is that I'm logged in Apache (2.4.10) using "nagiosadmin".
That detail mentioned in the log took me to do other tests and I discovered that, indeed, I was not logged into Apache as "nagiosadmin". I could corroborate it opening other browsers (Chromium and Konqueror) and seeing that I went directly to the interface of Nagios. The problem was here:
Code: Select all
# SSLRequireSSL
Options ExecCGI
AllowOverride None
### DGB - 20150507 ###
#Order allow,deny
#Allow from all
Require all granted <---------------------------------------------------+
### DGB - 20150507 ### |
AuthName "Nagios Access" |
AuthType Basic |
AuthUserFile /usr/local/nagios/etc/htpasswd.users |
Require valid-user <----------------------------------------------------+
</Directory>
Apparently, the "Require all granted" equivalent to "Order allow, deny / Allow from all" on Apache 2.2 was creating a conflict with the "Require" below. Then, commenting on the "Require all granted", I do got to the Apache authentication window and I saw the hosts and services. But the problem is that access is possible from any network. Then the final configuration is as follows:
Code: Select all
(...)
<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
<RequireAll>
### DGB - 20150507 ###
#Order allow,deny
#Allow from all
Require all granted
### DGB - 20150507 ###
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</RequireAll>
</Directory>
(...)
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
<RequireAll>
### DGB - 20150507 ###
#Order allow,deny
#Allow from all
Require all granted
### DGB - 20150507 ###
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</RequireAll>
</Directory>
And, of course, now the log entries show the "nagiosadmin" user:
Code: Select all
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_first2.png HTTP/1.1" 304 193 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_prev2.png HTTP/1.1" 304 192 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_last2.png HTTP/1.1" 304 193 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
10.1.0.40 - nagiosadmin [09/May/2015:15:00:09 -0300] "GET /nagios/images/b_next2.png HTTP/1.1" 304 192 "https://nagios.freesoftware/nagios/cgi-bin/status.cgi?host=all" "Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2"
I think it would be good to document this Apache 2.4 configuration for use in the next version of Nagios Core.
I hope you find it useful.
Best regards,
Daniel
Re: Nagios 4.0.8 and Apache 2.4.10
Posted: Sat May 09, 2015 1:36 pm
by DanielB
Being generalists, I think we could use something like the following (not tested):
Code: Select all
(...)
<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</IfVersion>
</Directory>
(...)
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</IfVersion>
</Directory>
Best regards,
Daniel