Cannot access Nagios in browser - 401 Unauthorized

[sens]

I've been trying to get Nagios to work with Apache with different RHEL based distros (CentOS, AlmaLinux, etc.) However, even after closely following the documentation provided from the official Nagios site and additional links, I simply cannot get it to work. I've tried remaking the .htaccess file, I've tried giving the right permissions and the only way I could get it to "work" is by removing the properties in /etc/httpd/conf.d/nagios.conf.

I recently tried running it on Ubuntu 22.04 - Nagios 4.4.14 and Apache 2.4 -> same result with RHEL-based distros.

I do NOT receive an authentication prompt in the browser for username/password but rather:

"Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."


! SELinux is disabled !

This is the configuration that should work as intended:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   AuthType Basic
   AuthName "Nagios Access"
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
    Options None
    AllowOverride None
    AuthType Basic
    AuthName "Nagios Access"
    AuthUserFile /usr/local/nagios/etc/htpasswd.users
    Require valid-user
</Directory>

Port 80 is open, I've confirmed the apache configuration as well as the virtual hosts:

Code: Select all

[root@NagiosSRV nagios]# apachectl -S
VirtualHost configuration:
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

curl works and authenticates properly and the logs confirm it:

Code: Select all

[root@NagiosSRV nagios]# curl -u nagiosadmin:nagios -I http://[IP_ADDRESS]/nagios/
HTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 12:08:11 GMT
Server: Apache/2.4.37 (centos)
X-Powered-By: PHP/7.2.24
Content-Type: text/html; charset=UTF-8

I've checked for the modules to confirm they're enabled and working:

Code: Select all

[root@NagiosSRV nagios]# httpd -M | grep auth
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)

[danderson]

If curl request works, then so should the browser, strange. If you navigate to the URL http://nagiosadmin:nagios@[IP_ADDRESS]/nagios/ can you access nagios then?

[sens]

When I navigate using the credentials it still gives me 401 Unauthorized.

http://nagiosadmin:nagios@[IP_ADDRESS]/nagios/ -> Works with curl but not in the browser.

As I stated in my post, I do not get an authentication prompt when I try to access Nagios using the /nagios redirect. It simply says:

"Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."

[danderson]

This is my conf file that works for me

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   <RequireAll>
      Require all granted
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </RequireAll>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   <RequireAll>
      Require all granted
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </RequireAll>
</Directory>

Maybe try adding the Require all granted

[sens]

Why would I add "Require all granted"? That quite literally defeats the purpose and removes the authentication from Apache...

Also I've already done this solution and it exists on this forum where the user (whoever in that case) is logged in as "?". I don't want everyone to be able to have access to the application, that's the whole idea.

[danderson]

I suppose in my instance, everything is within a RequireAll directive which requires that all authorization directives must not fail and at least one must succeed. So it doesn't allow just anyone because the other Require statement would fail