access /server-status without credentials

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

access /server-status without credentials

Postby Guyver1 » Fri Oct 11, 2019 3:25 am

Hi,

I've just started learning apache so bear with me.

I've successfully configured the /server-status page on our nagios server:
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from x.x.x.x
</Location>

However, it requests credentials whenever you attempt to browse to it which means alot of the nagios plugins for checking apache wont work as a lot of them dont have username/password arguments.

Is there a way in httpd.conf to allow access to /server-status without being forced to enter nagios credentials?
This is so I can configure our other apache web servers /server-status pages and allow nagios to check them without worrying about credential issues.
Guyver1
 
Posts: 21
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Postby benjaminsmith » Fri Oct 11, 2019 11:36 am

Hello,

Try setting the apache config as follows. This is working on my test system.
Code: Select all
<Location /server-status>
     SetHandler server-status
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 <IP address Nagios>
</Location>

To test run the following curl command and post the any errors messages.
Code: Select all
curl -k -L -v http://127.0.0.1/server-status
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
benjaminsmith
 
Posts: 1711
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: access /server-status without credentials

Postby Guyver1 » Fri Oct 11, 2019 5:43 pm

ok cheers.

Got this working on my lab at home:

Code: Select all
[root@v-nagios-xi ~]# curl -k -L -v http://192.168.0.214/server-status
* About to connect() to 192.168.0.214 port 80 (#0)
*   Trying 192.168.0.214...
* Connected to 192.168.0.214 (192.168.0.214) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.0.214
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 11 Oct 2019 22:20:32 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< Content-Length: 3016
< Content-Type: text/html; charset=ISO-8859-1
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for 192.168.0.214 (via 192.168.0.214)</h1>

<dl><dt>Server Version: Apache/2.4.6 (CentOS) PHP/5.4.16</dt>
<dt>Server MPM: prefork</dt>
<dt>Server Built: Aug  8 2019 11:41:18
</dt></dl><hr /><dl>
<dt>Current Time: Friday, 11-Oct-2019 23:20:32 BST</dt>
<dt>Restart Time: Friday, 11-Oct-2019 23:19:36 BST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime:  56 seconds</dt>
<dt>Server load: 0.00 0.01 0.05</dt>
<dt>Total accesses: 1 - Total Traffic: 3 kB</dt>
<dt>CPU Usage: u0 s0 cu0 cs0<dt>.0179 requests/sec - 54 B/second - 3072 B/request</dt>
<dt>1 requests currently being processed, 5 idle workers</dt>
</dl><pre>__W___..........................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process<br />
<p />


<table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>

<tr><td><b>0-0</b></td><td>14709</td><td>0/1/1</td><td>_
</td><td>0.00</td><td>38</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.211</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>NULL</td></tr>

<tr><td><b>2-0</b></td><td>14711</td><td>0/0/0</td><td><b>W</b>
</td><td>0.00</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>192.168.0.215</td><td nowrap>v-nagios-repo.ghfb.local:80</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

</table>
<hr /> <table>
<tr><th>Srv</th><td>Child Server number - generation</td></tr>
<tr><th>PID</th><td>OS process ID</td></tr>
<tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
<tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
<tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
<tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
<tr><th>Child</th><td>Megabytes transferred this child</td></tr>
<tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
</table>
</body></html>
* Connection #0 to host 192.168.0.214 left intact
[root@v-nagios-xi ~]#




will need to wait until monday now to do the same on the work setup to test
Guyver1
 
Posts: 21
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Postby Guyver1 » Mon Oct 14, 2019 5:44 am

not working with both the following configurations locally and from my windows managment server:
Code: Select all
922 <Location /server-status>
923     SetHandler server-status
924     Order deny,allow
925     Deny from all
926     Allow from 127.0.0.1,xx.xx.102.201
927 </Location>


Code: Select all
922 <Location /server-status>
923     SetHandler server-status
924     Order deny,allow
925     Deny from all
926     Allow from 127.0.0.1,xx.xx.102.201
927     Require all granted
928 </Location>


Code: Select all
[root@nagios conf]# curl -k -L -v http://127.0.0.1/server-status
* About to connect() to 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Location: https://nagios.internal.domain/server-status
< Content-Length: 308
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Closing connection #0
* Issue another request to this URL: 'https://nagios.internal.domain/server-status'
* About to connect() to nagios.internal.domain port 443 (#0)
*   Trying xx.xx.110.94... connected
* Connected to nagios.internal.domain (xx.xx.110.94) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=nagios.internal.domain,OU=Libr,O=C,L=C,ST=S,C=xx
*       start date: Dec 09 10:10:31 2015 GMT
*       expire date: Dec 08 10:10:31 2017 GMT
*       common name: nagios.internal.domain
*       issuer: CN=Issuing CA 1,DC=internal,DC=xxxx,DC=xx,DC=xx
> GET /server-status HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: nagios.internal.domain
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 14 Oct 2019 10:37:59 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 309
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at nagios.internal.domain Port 443</address>
</body></html>
* Closing connection #0
[root@nagios conf]#

Guyver1
 
Posts: 21
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Postby scottwilkerson » Mon Oct 14, 2019 8:08 am

Do you have the same configuration in the SSL config?

I ask because it is redirecting to the SSL version and then failing
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 16263
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: access /server-status without credentials

Postby Guyver1 » Mon Oct 14, 2019 10:54 am

just added:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1,xx.xx.102.201
Require all granted
</Location>

to the ssl.conf both inside and outside of the <virtualhost> tags and tested both versions and still getting 403 Forbidden. :evil:

annoying
Guyver1
 
Posts: 21
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Postby scottwilkerson » Mon Oct 14, 2019 11:26 am

I'm not really sure what to say, you may want to consider consulting an apache forum as the issue you are hitting isn't really Nagios related, but a configuration problem with an external apache config.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 16263
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: access /server-status without credentials

Postby Guyver1 » Tue Oct 15, 2019 6:22 am

yeah, thanks for your assistance Scott, appreciated.

I have posted on the apache subreddit, but yet to get a response.
Guyver1
 
Posts: 21
Joined: Tue Apr 16, 2019 4:43 am

Re: access /server-status without credentials

Postby scottwilkerson » Tue Oct 15, 2019 6:34 am

Guyver1 wrote:yeah, thanks for your assistance Scott, appreciated.

I have posted on the apache subreddit, but yet to get a response.


Good luck!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 16263
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises


Return to Nagios Core

Who is online

Users browsing this forum: Google [Bot] and 29 guests