Nagios Support Forum

Hi there,
I've googled around, and don't have access yet to the "paid" forum as I'm still on the trial.

I'm trying to figure out how to secure the Respond URL in the email notification alerts that are sent out on a Critical host or service alert. Right now, I can click the URL and it sends me immediately to the host alert. I'd like to have it prompt the user to enter their Nagios credentials before proceeding.

Is there a way to enable this functionality?

You can add the following line to the "/usr/local/nagiosxi/html/config.inc.php" file:
and restart apache:
This should force users to login in the response URL.

Thanks! I'll give it a shot in the morning.

Do you know offhand if this was available in a document anywhere? I searched for a bit and didn't find anything. I hate making forum posts if I could have avoided it.

lmiltchev wrote:You can add the following line to the "/usr/local/nagiosxi/html/config.inc.php" file:

Code: Select all

$cfg['secure_response_url']=1;

and restart apache:

Code: Select all

service httpd restart

This should force users to login in the response URL.

I just made the change, and when I click the response URL I get the following:
Rapid Response URL's have been secured. this link is no longer valid.

What I was looking for is to have the response URL still work, but simply prompt for a username and password

It should work with the *new* respond URL links. I don't believe this has been documented. It is in the 2012R2.3 change log:

Add ability to secure notification %responseurl% by setting $cfg['secure_response_url']=1; in config.inc.php -SW

https://assets.nagios.com/downloads/nag ... S-2012.TXT

lmiltchev wrote:It should work with the *new* respond URL links. I don't believe this has been documented. It is in the 2012R2.3 change log:

Add ability to secure notification %responseurl% by setting $cfg['secure_response_url']=1; in config.inc.php -SW

https://assets.nagios.com/downloads/nag ... S-2012.TXT

Not sure what you mean by "new" respond URL links. After making the change, I took a host down to force it to send an alert. I click the respond URL and it immediately took me into the page.

I tried this from multiple devices, ones that have never logged into Nagios before to eliminate it being a cached password or cookies issue.

You are right though, initially I clicked a link from an old host down alert. New links bring me into the acknowledge/host details etc page but do not prompt for user/pass.

Sorry, long day... I Added the code, but commented it out, haha.

So, to summarize, I now have alerts secured. I simulated a down host, received the alert and clicked the respond URL. It brought me right to the Nagios XI main login page. When I enter my credentials for 'nagiosadmin' it DOES log me in, however it shows the following:

Not Authorized
You are not authorized to view the requested object, or the object does not exist.

I can click around and browse hosts, and do everything with full admin rights. I assumed once I entered the nagiosadmin user and pass, it would bring me to the page that the respond URL would normally send you to.

Am I missing something here??

Maybe this should have been asked earlier, but what XI version are you on?

Can you check the /var/log/httpd/error_log file for any errors and post them here?

XI version 2014R2.7

/var/log/httpd/error_log I see that repeated a bunch of times, but nothing regarding respond URL. I generated a host down alert, click the respond link, logged in with my nagiosadmin credentials, and the same thing occurs.