LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-15-2010, 12:01 PM   #1
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Rep: Reputation: 36
Forcing HTTPS in Nagios on Debian using RewriteRule.


Hi guys,
I've been trying to solve this problem the whole day with no success.
I've been googling too, of course.

Basically, I want to force https-connection on my webserver, only on /nagios3 folder on my Apache running on Debian Lenny.

Everything is set up according the default, meaning that Nagios Apache config is placed in /etc/apache2/conf.d/nagios3.conf and it contains following:

Code:
ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
Alias /nagios3/stylesheets /etc/nagios3/stylesheets
Alias /nagios3 /usr/share/nagios3/htdocs

<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
	Options FollowSymLinks
	
	DirectoryIndex index.html
	AllowOverride AuthConfig
	Order Deny,Allow
	Allow From 172.16.0.0/24  #the only thing I tweaked.
	
	AuthName "Nagios Access"
	AuthType Basic
	AuthUserFile /etc/nagios3/htpasswd.users
	# nagios 1.x:
	#AuthUserFile /etc/nagios/htpasswd.users
	require valid-user
</DirectoryMatch>
Inside of the DirectoryMatch, I then added:

Code:
	RewriteEngine on
	RewriteCond %{SERVER_PORT} !^443$
	RewriteRule ^/nagios3$  https://%{SERVER_NAME}%{REQUEST_URI} [L]
But the results were failure - the web browser would still load in usual http. Https would work only if I explicitaly surfed to https://<myserver/nagios3>.

Finally I tried this variant:

Code:
	RewriteEngine on
	RewriteBase /nagios3
	RewriteCond %{SERVER_PORT} !^443$
	RewriteRule ^(.*)$  https://%{SERVER_NAME}%{REQUEST_URI} [L]
but it gave me a very strange side-effect, namely it would pop-up the Basic Authentication window 2 times - first via http, and after successful login - it would rewrite to https and ask me to redo authentication. This, of course, doesn't make sense as the connection is not encrypted during the first authentication.

Any ideas what's wrong? I'm pretty sure problems could be in the fact that Alias (Alias /nagios3 /usr/share/nagios3/htdocs) is being used, and I believe it's harder to make rewrites to work properly on these.

Any feedback is appreciated!

Thanks in advance!
M.
 
Old 04-15-2010, 02:09 PM   #2
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Original Poster
Rep: Reputation: 36
An update.
I even tried this version.

Code:
       RewriteEngine on
        RewriteCond %{SERVER_PORT} !=443
        RewriteCond %{REQUEST_URI} ^/nagios3
        RewriteRule ^(.*)$  https://%{HTTP_HOST}%{REQUEST_URI} [L]
And it still does basic authentication two times - first unencrypted, then rewrites URL to https and does it again. Why is this happening? While googling I've found another thread on the subject in another community and the guy never got the answer to his question. It didn't have to do anything with Nagios-folders, aliases or anything like that but just more straight forward configuration where he wanted to rewrite a certain URL to https and do Basic Authentication on it.
Could this be a bug?

Last edited by MheAd; 04-15-2010 at 02:14 PM.
 
Old 04-15-2010, 02:55 PM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,910

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
hi,

It's not a bug, it's a feature
You have to read this to understand why the double authentication.
Basically you have to add in .htaccess:
Code:
SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "www.domain.com"
ErrorDocument 403 https://www.domain.com/nagios3
 
Old 04-15-2010, 03:55 PM   #4
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Original Poster
Rep: Reputation: 36
Hey you

Thanks for the tip. Always the pleasure, always appreciated!
Your solution really works and excludes the need of Rewrite module.
But should this be considered as standard?
I mean, you are "causing" an error (if http is used) and then doing redirection to an "error document" which is the actual path to Nagios-dir, only using SSL-protocol instead. This also generates some "access to /usr/share/nagios3/htdocs failed, reason: SSL connection required" in the error log during the initial visit to the site.

Either way it works - but I could bet it's possible to do with Rewrite-directives...
 
Old 04-15-2010, 04:36 PM   #5
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Original Poster
Rep: Reputation: 36
I actually managed now to implement Rewrite-rule solution by removing the nagios3.conf file and putting all of its directives (including Rewrite rules) inside <Virtualhost *:443> instead. Now I don't get "double authentication" but my URL gets rewritten directly to https and I get only one authentication request.

[EDIT]

But it's still not good looking solution since I still have to use some LocationMatch directives in VirtualHost :80 to make it work.

I think I'll be sticking to your solution unless someone here can come up with a "clean" solution with Rewrite module only.

Last edited by MheAd; 04-15-2010 at 04:55 PM.
 
Old 04-15-2010, 05:06 PM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,910

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
Hi,

The real benefit of this solution is that username/password are sent in the ssl session, so they are encrypted.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nagios in debian how to use after installation shirishbhalekar Debian 2 01-30-2009 10:30 AM
Trying to run Nagios on Debian 4 andybrr Linux - Networking 2 04-04-2008 02:02 AM
forcing traffic through certain route(forcing source ip) taltman Linux - Networking 1 12-26-2007 02:07 PM
forcing https redirect results in forbidden? sneakyimp Linux - Software 11 10-22-2007 04:11 AM
Debian packages for Nagios-2 shawnbishop Linux - Software 2 03-16-2006 02:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration