Nagios: creating custom menu for an authenticated user

Question

Is there any 'easy' way to create customized web gui (for example, menu, default home page etc.) for a Nagios authenticated user? I have created a user for a customer, who has access to certain hostgroups only. But after logging in, the user can obviously see the default menu, which is customized for internal use. How can I prevent this?

Answer 1

There are ways to restrict what a user sees in the standard gui, check the manual pages. Basically, a user will see only those hosts and services which have contact lists containing this user. You can do a bit more configuration for special cases in the etc/cgiauth.cfg file.

If you want to restrict a user to very few predefined pages, you can do that with a few tricks in the web server configuration. You should have some understanding of how apache config files work for this, and this assumes you can distinguish your customer from your company employees using their IP address. If you can't, you can use groups and AuthGroupFiles, but it will be a bit harder that way.

The basic idea is:

• Allow everyone access to the static pages, images, css stuff etc.
• Allow access to the CGIs only from the IPs your company uses
• create special URLs for the customer that "hide" the real CGIs

This needs mod_authz, mod_rewrite and mod_proxy together with mod_proy_http to work.

You should have a nagios.conf in your web server directory; its exact location and contents depend on distribution and on whether you're using a RPM or compiled nagios yourself, so your directory paths may vary.

In the configuration for the CGI scripts, we put

<Directory /usr/local/nagios/sbin>
    Order deny, allow
    Deny from all
    Allow from 127.0.0.1
    Allow from 1.2.3.4           # <-- this should be the address of the webserver
    Allow from 192.168.1.0/24    # <-- this should be the addresses your company use
    require valid-user
</Directory>

This denies access to the CGIs to everyone but you.

Then, we define a few web pages that get rewritten to CGI scripts:

<Location />
    RewriteEngine On
    RewriteRule customer.html$  http://127.0.0.1/nagios/cgi-bin/status.cgi?host=customerhost [P]
</Location>

So when anyone accesses customer.html, the server will fetch http://127.0.0.1/nagios/cgi-bin/status.cgi?host=customerhost using its internal proxy; this will create a new request to the CGI that seems to come from 127.0.0.1 and thus match the "Allow from 127.0.0.1" rule.

Mod_proxy still needs come configuration:

ProxyRequests On
<Proxy *>
    AddDefaultCharset off
    Order deny,allow
    Deny from all
    Allow from 1.2.3.4                 # <--- again, use your server IP
    Allow from 127.0.0.1
</Proxy>

which restricts the proxy to internal apache use and prevents other people from the internet from using your proxy for anything else.

Of course, it's still the original CGIs that get executed, but your customer can't use them directly, he'll only be able to access the ones you've made available in your RewriteRules. The links, and action pulldown, will still be there, but accessing them will result in error messages.

If you still want more, use a programming language of your choice (I've done this with perl, but php, phyton, ruby, ... should work just as well), parse the objects.cache and status.dat files, and create your very own UI. Once you've written a few library functions to parse those files (which shouldn't be too difficult, their syntax is trivial), creating your own GUI is just as hard, or as easy, as programming any other kind of Web UI.

Answer 2

After some research, I have found a work-around for my case. The solution lies in the fact, that by default Nagios uses a single password file (for http auth) for two different directiories:

• $NAGIOS_HOME/sbin (where the cgi files are stored) and
• $NAGIOS_HOME/share (HTML and PHP files are stored)

This means, anyone authenticating as a user gets access to both the folders and subfolders automatically. This can be prevented by using seperate password file for the folders above.

Here is a snippet from a custom nagios.conf file with two different password files:

 ## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF

 ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
 <Directory "/usr/local/nagios/sbin">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Digest
    AuthName "Nagios Access"
    AuthDigestFile /usr/local/nagios/etc/.digest_pw1>        
    Require valid-user
 </Directory>

 Alias /nagios "/usr/local/nagios/share"

 <Directory "/usr/local/nagios/share">    
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Digest
    AuthName "Nagios Access"
    AuthDigestFile /usr/local/nagios/etc/.digest_pw2
    Require valid-user
 </Directory>

## END APACHE CONFIG SNIPPETS

Now for example, lets make a custom directory for customer1 under /var/www/html/customer1 and copy all the html and php files from Nagios ../share directory there and customize them and add an alias in Apache.

Alias /customer1 "/var/www/html/customer1"

 <Directory "/var/www/html/customer1">    
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Digest
    AuthName "Nagios Access"
    AuthDigestFile /usr/local/nagios/etc/.digest_pw3
    Require user customer1
 </Directory>

Now one can add the same user/password for customer1 at password files 1 and 3 so that they can have access to the custom web gui and to the cgi scripts. Of course beforehand one must set appropriate contact groups in Nagios so that after authentication the customer sees only the groups he/she is a contact for. The default Nagios share directory is secured with the nagios-admin (or whatever) user/password which resides in password files 2 and of course in 1.