Nagios Support Forum

I just had a user that didn't have an account get a rapid response link forwarded over to him. He clicked on it and modified the url so that he would only hit the main site https://servername/nagiosxi/ website and it authenticated him as the user on the server.

Using Nagios XI 2014R2.6

This is somewhere between "Expected behavior" and "Probably unintended". By its very nature, the Rapid Response feature allows someone to receive a link that logs them in automatically. Protecting that link then becomes part of the security of the feature. The part I am unsure of is whether it should authenticate a user for that one page or for the interface in general. My expectation is that it would only be for a single page, but according to the developers this is currently the way it should work.

We discussed making this a "One key/token = one page" sort of deal, potentially with a "Only valid for X minutes" clause as well. But for right now, the "security bug" was forwarding the email. You can disable the auto-login URL so they are presented with the login page instead of automatically being logged in, but then it becomes the "Response" URL and not the "Rapid Response" URL.

It definitely doesn't do it for just one page. How can I go about disabling the auto-login URL?

Open the "/usr/local/nagiosxi/html/config.inc.php" file in a text editor and see if you can find the following line: Change it to: Save, exit and restart apache: Setting it to 1 should force users to login in the response URL. Hope this helps.

Seems to be currently commented and it states..

/********* DO NOT MODIFY ANYTHING BELOW THIS LINE **********/
// Secure notification %responseurl%
// setting this to 1 will force users to login in the response URL
// $cfg['secure_response_url']=1;

That's exactly what we want to do, so you can safely remove the comments. Just keep in mind, this will prevent the auto-login.

I was finally able to get the test environment running with notifications to test this. Old URLs are no longer valid and the new one prompts for login screen. Thank you for the help on this. Feel free to lock... Scratch that.. Let me test abit more....

Old URLs are no longer valid and the new one prompts for login screen.

This is correct. After making the changes in the config.inc.php, the old URLs shouldn't be valid and the new ones should prompt for credentials.

Thank you for the help on this. Feel free to lock... Scratch that.. Let me test abit more....

No problem. We will keep this topic open for a while. Let us know if you run into some more issues. Thanks!

Feel free to lock.