I'm having trouble disabling opsview-web authentiation. We have a custom
apache auth module that we prefer to use. We are proxying opsview-web
through apache.
How do I disable opsview-web authentication ? We want no prompts for
username/password. Can I force mod_auth_tkt to validate any user passed
from the apache proxy ? Can I disable mod_auth_tkt ?
Regards,
Chris Hunter
Below is a summary of our configuration:
I installed 3.5.2 community edition to play with web server settings. I
setup apache-2.0/httpd as a web proxy for opsview-web.
I used this wikipage
(http://docs.opsview.com/doku.php?id=opsview-community:advancedapache)
for reference.
I copied the example file /usr/local/nagios/installer/apache_proxy.conf
to /etc/httpd/conf.d/opsview.conf as a starting point.
I made several customizations:
-Our webserver root URL direct users to a custom splash page. I removed
the DocumentRoot setting to keep the splash page.
-We wanted to use the URL http://myserver/nagios for opsview.
To the file /usr/local/opsview-web/opsview-web.yml I appended the line:
override_base_prefix: /nagios
I used an apache <Location> directive in my opsview.conf:
<Location /nagios>
ProxyPass http://127.0.0.1:3000/
ProxyPassReverse http://127.0.0.1:3000/
# Don't proxy error pages as these are served statically
#ProxyPass /error_pages !
#ProxyPass /javascript !
#ProxyPass /stylesheets !
#ProxyPass /help !
#ProxyPass /images !
#ProxyPass /xml !
#ProxyPass /favicon.ico !
#ProxyPass /graphs !
#ProxyPass /static !
#ProxyPass /media !
# Our own upstream proxy error page
ErrorDocument 502 /error_pages/http502.html
# Remove line below for apache < 2.2
ErrorDocument 503 /error_pages/http502.html
</Location>
Note I commented out the exceptions to the Proxy (ie. /xml, /static, etc.)
-Another requirement is using our custom web authentication module with
opsview-web. Our custom module is called CAS (mod_auth_cas). To my
<Location> directive I added the lines:
AuthType CAS
Require valid-user
I then turned off the default authentication in the
/usr/local/nagios/etc/cgi.cfg file:
# NOTE: It is a really *bad* idea to disable authorization, unless
# you plan on removing the command CGI (cmd.cgi)! Failure to do
# so will leave you wide open to kiddies messing with Nagios and
# possibly hitting you with a denial of service attack by filling up
# your drive by continuously writing to your command file!
#
# Setting this value to 0 will cause the CGIs to *not* use
# authentication (bad idea), while any other value will make them
# use the authentication functions (the default).
use_authentication=0
However this does not appear to be enough. When I load the default
opsview-web URL (http://myserver/nagios) I still prompts for authentication.
Regards,
Chris Hunter
_______________________________________________
Opsview-users mailing list
[email protected]
http://lists.opsview.org/lists/listinfo/opsview-users
