Forcing HTTPS in Nagios on Debian using RewriteRule.

MheAd · 04-15-2010, 11:01 AM

Hi guys,
I've been trying to solve this problem the whole day with no success.
I've been googling too, of course.

Basically, I want to force https-connection on my webserver, only on /nagios3 folder on my Apache running on Debian Lenny.

Everything is set up according the default, meaning that Nagios Apache config is placed in /etc/apache2/conf.d/nagios3.conf and it contains following:

Code:

ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
Alias /nagios3/stylesheets /etc/nagios3/stylesheets
Alias /nagios3 /usr/share/nagios3/htdocs

<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
	Options FollowSymLinks
	
	DirectoryIndex index.html
	AllowOverride AuthConfig
	Order Deny,Allow
	Allow From 172.16.0.0/24  #the only thing I tweaked.
	
	AuthName "Nagios Access"
	AuthType Basic
	AuthUserFile /etc/nagios3/htpasswd.users
	# nagios 1.x:
	#AuthUserFile /etc/nagios/htpasswd.users
	require valid-user
</DirectoryMatch>

Inside of the DirectoryMatch, I then added:

Code:

	RewriteEngine on
	RewriteCond %{SERVER_PORT} !^443$
	RewriteRule ^/nagios3$  https://%{SERVER_NAME}%{REQUEST_URI} [L]

But the results were failure - the web browser would still load in usual http. Https would work only if I explicitaly surfed to https://<myserver/nagios3>.

Finally I tried this variant:

Code:

	RewriteEngine on
	RewriteBase /nagios3
	RewriteCond %{SERVER_PORT} !^443$
	RewriteRule ^(.*)$  https://%{SERVER_NAME}%{REQUEST_URI} [L]

but it gave me a very strange side-effect, namely it would pop-up the Basic Authentication window 2 times - first via http, and after successful login - it would rewrite to https and ask me to redo authentication. This, of course, doesn't make sense as the connection is not encrypted during the first authentication.

Any ideas what's wrong? I'm pretty sure problems could be in the fact that Alias (Alias /nagios3 /usr/share/nagios3/htdocs) is being used, and I believe it's harder to make rewrites to work properly on these.

Any feedback is appreciated!

Thanks in advance!
M.

MheAd · 04-15-2010, 01:09 PM

An update.
I even tried this version.

Code:

       RewriteEngine on
        RewriteCond %{SERVER_PORT} !=443
        RewriteCond %{REQUEST_URI} ^/nagios3
        RewriteRule ^(.*)$  https://%{HTTP_HOST}%{REQUEST_URI} [L]

And it still does basic authentication two times - first unencrypted, then rewrites URL to https and does it again. Why is this happening? While googling I've found another thread on the subject in another community and the guy never got the answer to his question. It didn't have to do anything with Nagios-folders, aliases or anything like that but just more straight forward configuration where he wanted to rewrite a certain URL to https and do Basic Authentication on it.
Could this be a bug?

bathory · 04-15-2010, 01:55 PM

hi,

It's not a bug, it's a feature

You have to read this to understand why the double authentication.
Basically you have to add in .htaccess:

Code:

SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "www.domain.com"
ErrorDocument 403 https://www.domain.com/nagios3

MheAd · 04-15-2010, 02:55 PM

Hey you

Thanks for the tip. Always the pleasure, always appreciated!

Your solution really works and excludes the need of Rewrite module.
But should this be considered as standard?
I mean, you are "causing" an error (if http is used) and then doing redirection to an "error document" which is the actual path to Nagios-dir, only using SSL-protocol instead. This also generates some "access to /usr/share/nagios3/htdocs failed, reason: SSL connection required" in the error log during the initial visit to the site.

Either way it works - but I could bet it's possible to do with Rewrite-directives...

MheAd · 04-15-2010, 03:36 PM

I actually managed now to implement Rewrite-rule solution by removing the nagios3.conf file and putting all of its directives (including Rewrite rules) inside <Virtualhost *:443> instead. Now I don't get "double authentication" but my URL gets rewritten directly to https and I get only one authentication request.

[EDIT]

But it's still not good looking solution since I still have to use some LocationMatch directives in VirtualHost :80 to make it work.

I think I'll be sticking to your solution unless someone here can come up with a "clean" solution with Rewrite module only.

bathory · 04-15-2010, 04:06 PM

Hi,

The real benefit of this solution is that username/password are sent in the ssl session, so they are encrypted.

Cheers